1. The existence of worms is definitely a problem where Weibo is released. Check the interfaces shared with Sohu Weibo: 2. Click [Share] to capture the packet and view the request: POST. http://t.sohu.com/third/insertTwitter HTTP/1.1 Host: t. sohu. comProxy-Connection: keep-aliveContent-Length: 360 Origin: http://t.sohu.comX-Requested-With : XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.13 (KHTML, like Gecko) Chrome/24.0.1284.2 Safari/537.13Content-Type: application/x-www-form-urlencodedAccept: application/json, text/javascript, */*; q = 0.01 Referer: http://t.sohu.com/third/post.jsp?link=http%3A%2F%2Fyule.sohu.com%2F20130117%2Fn363726424.shtml&title=%E4%B8%93%E8%AE%BF%E5%91%A8%E6%98%9F%E9%A9%B0%EF%BC%9A%E5%A6%82%E6%9E%9C%E8%A7%82%E4%BC%97%E6%8E%A5%E5%8F%97%20%E6%88%91%E5%B0%B1%E7%BB%A7%E7%BB%AD%E5%90%83%E8%80%81%E6%9C%AC-%E6%90%9C%E7%8B%90%E5%A8%B1%E4%B9%90Accept-Encoding : Gzip, deflate, sdchAccept-Language: zh-CN, zh; q = 0.8Accept-Charset: GBK, UTF-8; q = 0.7, *; q = 0.3 Cookie: omitted act = insertOrigin & msg = % u56FD % u5BB6 % u6709 % u4EFB % u52A1 % u7ED9 % u4F60 % u4E86 % uFF01 & type = 2115 & url = http % 3A % 2F % response % 2 FnWfah & app_key = cmsnew & title = % D7 % A8 % B7 % C3 % D6 % DC % D0 % C7 % B3 % DB % A3 % BA % C8 % E7 % B9 % FB % B9 % DB % D6 % DA % BD % D3 % CA % DC + % CE % D2 % BE % CD % BC % CC % D0 % F8 % B3 % D4 % c0 % CF % B1 % BE-% CB % D1 % BA % FC % D3 % E9 % C0 % D6 & media = % CB % D1 % BA % FC % D3 % E9 % C0 % D6 & mediaurl = http % 3A % 2F % 2Fyule.sohu.com % 2F & summary = 3. the specific meaning of the above request POST parameter can be found at the parameter name. Here, the msg parameter refers to the content of the message sent when Weibo is forwarded. The url parameter refers to the specific link from which Weibo is forwarded, the titile parameter is the title of the forwarded microblog. The media parameter refers to the media from which the microblog is sent. mediaurl, of course, refers to the media Link! 4. referer judgment is actually made here, that is, the referer must be sohu.com or empty, but not other domains. This means that I can only play with a local single machine! Haha, after a simple test, I found that the referer regular expression is incorrect! It only determines whether the domain name contains sohu.com, rather than verifying that the root domain name is sohu.com. Here, we can construct a subdomain name t.sohu.com. test. av as a carrier server for worm propagation, and then bypass it. Proof of vulnerability: 5. I constructed the following POC link: http://t.sohu.com.xssed.me/csrf/sohu.html Paste the POC code here:
Solution:
1. Since the referer domain name can be changed to t.163.com. test. av, can it be changed to test. av/csrf. php? 163.com? We will consider this as a small detail later! 2. In terms of defense, we strongly recommend that you change the key request to post! It is better to add tokens for key requests.