zrlog
zrlog copied to clipboard
CSRF in backstage management
This version of the zrlog backstage management has CSRF vulnerability.The attacker can induce the user to visit the CSRF attack page, and then use the user's credentials for malicious operations such as adding, deleting, modifying and checking
1、Login to the backstage as the admin;
2、Create a new Bolg:
3、Delete new blog and use burpsuite to grab package
4、Constructing CSRF payload with burpsuite
5、Drop the grab package and refresh the pag to sure the new blog is still existence:
6、Using CSRF payload generated by burpsuite to construct CSRF HTML page
7、Simulate blogger to visit CSRF attack page and click button
8、From the displayed results, it is successfully deleted
9、Refresh the page, delete the new blog successfully, CSRF attack successfully
Suggestion: the whole station uses csrftoken for safety protection