Skip to content
This repository was archived by the owner on Jan 12, 2021. It is now read-only.
This repository was archived by the owner on Jan 12, 2021. It is now read-only.

There are four CSRF vulnerability that can delete user and etc #42

Open
@crazywa1ker

Description

@crazywa1ker

vulnerability file: https://github.com/creditease-sec/insight/blob/open-source/srcpm/app/admin/views.py

  1. line 61
@admin.route('/login_user_delete/<id>')
@permission_required('admin.login_user_delete')
def login_user_delete(id):
	lg_user_del = LoginUser.query.get_or_404(id)
	db.session.delete(lg_user_del)
	flash(u'删除用户 %s 成功' %lg_user_del.username)
	return redirect(url_for('admin.login_user_read'))
  1. line 154
@admin.route('/role_perm_delete/<role_name>')
@permission_required('admin.role_perm_delete')
def role_perm_delete(role_name):
	role_perm_del = Permission.query.filter_by(role_name=role_name)
	#删除权限
	for r_p_d in role_perm_del:
		db.session.delete(r_p_d)
	flash(u'删除权限成功')
	#删除角色
	role = Role.query.filter_by(role_name=role_name).first()
	db.session.delete(role)
	flash(u'删除权限 %s 成功' %role_name)
	return redirect(url_for('admin.role_read'))
  1. line 221
@admin.route('/depart_delete/<id>')
@permission_required('admin.depart_delete')
def depart_delete(id):
	depart_del = Depart.query.get_or_404(id)
	db.session.delete(depart_del)
	flash(u'删除部门成功')
	return redirect(url_for('admin.depart_read'))
  1. line 293
@admin.route('/user_delete/<id>')
@permission_required('admin.user_delete')
def user_delete(id):
	user_del = User.query.get_or_404(id)
	db.session.delete(user_del)
	flash(u'删除人员成功')
	return redirect(url_for('admin.user_read'))

poc:

  1.  Post one drops or comment contains this
![](http://127.0.0.1:9000/srcpm/admin/login_user_delete/[user id])
  1. Wait admin to login and access the post.After admin query the img , one user will be deleted.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions