########################### # Powered by C0d3r1iu # # Team:HIT-nslab # # mail:admin@recorday.cn # # CVE-2017-12838 # ########################### =============================================== infomation: The server doesn't confirm the POST request origin like HTTP header Referers infomation. we can use tools like BurpSuite catch the data and delete the Referers and repeat to check this. So,we can do cross site request forgery Source:the code doesn't confirm the POST request origin,it led some dangerous request like add administrators account can be forgery. Affected software: NexusPHP 1.5 Software Link: http://sourceforge.net/projects/nexusphp/ Free to modify and redistribute this program. Use at your own risk and you are responsible for what you are doing. =============================================== exploit: The program allows user send the score which called "mana","mana" can improve your user level and do something special. so we can do cross site request forgery to let users send me manas. We can construct the form arbitrarily, use javascript to realize automatic submission, when the user is in login site status (cookie perennial can log on) and open our web page,the request will automatically launch. payload for example: when user view this page,he will send 50 "mana" to my account,and all website has this problem,so we can add administrators account if we want