Headline
CVE-2022-29647: MCMS CSRF
An issue was discovered in MCMS 5.2.7. There is a CSRF vulnerability that can add an administrator account via ms/basic/manager/save.do.
****Product official website:****
https://ms.mingsoft.net/
****Product download address:****
https://gitee.com/mingSoft/MCMS https://github.com/ming-soft/MCMS
****Vulnerability Description:****
There is a CSRF vulnerability in the background adding user of MCMs administrator. When adding a user without adding a token and verifying the reference, the attacker can phishing attack the administrator by constructing a special page. When the administrator accidentally accesses the special page constructed by the attacker, trigger the payload to secretly add the administrator user, and the attacker can obtain the privileges of the background administrator.
****Vulnerability recurrence:****
Environment construction reference: https://gitee.com/mingSoft/MCMS The description document in the document can be used After the environment is set up, access the background. The local access background address is: http://localhost:8080/ms/login.do Use the default account password: msopen / msopen After logging in, find the place to add administrator user as shown in the figure below:
Add all the information needed to add the administrator, then click save and capture the package:
Use burp to generate the payload of CSRF, copy the HTML code and save it locally
Save the following HTML code as test.html
Then use the same browser you just logged in to open the locally saved HTML page
Click submit request above to see the return value and successfully add the administrator.
OK!