Discuz! X2.5/X3/X3.1 Delete administrator accounts with CSRF

Last vulnerability: Discuz! CSRF AttacK Defense in X2.5/X3/X3.1 can be bypassed: http://www.bkjia.com/Article/201405/300378.html

You replied that the setup was not required for verification by programmers ...... So this is probably your design problem.

The user page deleted in the background is simply submitcheck ('submit ', 1). According to the previous instructions, the program does not judge formhash, that is, it can be used for CSRF.

However, to exploit this vulnerability, the administrator must log on to the background. However, this vulnerability is not very troublesome (for example, the administrator can intentionally add keywords for review and then trigger the trojan. In fact, the administrator cannot post phishing messages)

Post and insert Discuz! Code:

 

[Img] admin. php? Frame = no & action = members & operation = clean & submit = 1 & uidarray = 1 & confirmed = yes [/img]

You can modify uidarray to delete multiple specified users.

The deleted administrator will force logon to log out. After logon, the system will prompt ucenter activation (the user in the discuz database has been deleted). After activation, the Administrator will lose the management right.

The above code can be slightly modified to delete and clear post data at the same time, which is too dangerous for me to try ......

Solution:

Formhash judgment