Vulnerabilities in Sohu Weibo's defense system cause worms to erupt

Source: Internet
Author: User
Tags subdomain name

1. The existence of worms is definitely a problem where Weibo is released. Check the interfaces shared with Sohu Weibo: 2. Click [Share] to capture the packet and view the request: POST. http://t.sohu.com/third/insertTwitter HTTP/1.1 Host: t. sohu. comProxy-Connection: keep-aliveContent-Length: 360 Origin: http://t.sohu.comX-Requested-With : XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.13 (KHTML, like Gecko) Chrome/24.0.1284.2 Safari/537.13Content-Type: application/x-www-form-urlencodedAccept: application/json, text/javascript, */*; q = 0.01 Referer: http://t.sohu.com/third/post.jsp?link=http%3A%2F%2Fyule.sohu.com%2F20130117%2Fn363726424.shtml&title=%E4%B8%93%E8%AE%BF%E5%91%A8%E6%98%9F%E9%A9%B0%EF%BC%9A%E5%A6%82%E6%9E%9C%E8%A7%82%E4%BC%97%E6%8E%A5%E5%8F%97%20%E6%88%91%E5%B0%B1%E7%BB%A7%E7%BB%AD%E5%90%83%E8%80%81%E6%9C%AC-%E6%90%9C%E7%8B%90%E5%A8%B1%E4%B9%90Accept-Encoding : Gzip, deflate, sdchAccept-Language: zh-CN, zh; q = 0.8Accept-Charset: GBK, UTF-8; q = 0.7, *; q = 0.3 Cookie: omitted act = insertOrigin & msg = % u56FD % u5BB6 % u6709 % u4EFB % u52A1 % u7ED9 % u4F60 % u4E86 % uFF01 & type = 2115 & url = http % 3A % 2F % response % 2 FnWfah & app_key = cmsnew & title = % D7 % A8 % B7 % C3 % D6 % DC % D0 % C7 % B3 % DB % A3 % BA % C8 % E7 % B9 % FB % B9 % DB % D6 % DA % BD % D3 % CA % DC + % CE % D2 % BE % CD % BC % CC % D0 % F8 % B3 % D4 % c0 % CF % B1 % BE-% CB % D1 % BA % FC % D3 % E9 % C0 % D6 & media = % CB % D1 % BA % FC % D3 % E9 % C0 % D6 & mediaurl = http % 3A % 2F % 2Fyule.sohu.com % 2F & summary = 3. the specific meaning of the above request POST parameter can be found at the parameter name. Here, the msg parameter refers to the content of the message sent when Weibo is forwarded. The url parameter refers to the specific link from which Weibo is forwarded, the titile parameter is the title of the forwarded microblog. The media parameter refers to the media from which the microblog is sent. mediaurl, of course, refers to the media Link! 4. referer judgment is actually made here, that is, the referer must be sohu.com or empty, but not other domains. This means that I can only play with a local single machine! Haha, after a simple test, I found that the referer regular expression is incorrect! It only determines whether the domain name contains sohu.com, rather than verifying that the root domain name is sohu.com. Here, we can construct a subdomain name t.sohu.com. test. av as a carrier server for worm propagation, and then bypass it. Proof of vulnerability: 5. I constructed the following POC link: http://t.sohu.com.xssed.me/csrf/sohu.html Paste the POC code here:
 Solution:

1. Since the referer domain name can be changed to t.163.com. test. av, can it be changed to test. av/csrf. php? 163.com? We will consider this as a small detail later! 2. In terms of defense, we strongly recommend that you change the key request to post! It is better to add tokens for key requests.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.