manager-system 2.0.1 has a CSRF

Source code name：manager-system
Source code version：2.0.1
Source code download link：https://github.com/ZeroWdd/manager-system/archive/refs/heads/master.zip

Code Audit:


<img width="1334" height="420" alt="Image" src="https://github.com/user-attachments/assets/68f8e175-c9bb-435e-9601-3f36ebc62d4b" />

```
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilterAfter(dynamicallyUrlInterceptor(), FilterSecurityInterceptor.class)
                .authorizeRequests()
                .antMatchers("/manager/login").permitAll()
                .antMatchers("/mystatic/**","/layuiadmin/**","/font-awesome-4.7.0/**").permitAll()
                .antMatchers("/**")
                .fullyAuthenticated()
                .and()
                .formLogin().loginPage("/manager/login").successHandler(loginSuccessHandler).failureHandler(loginFailureHandler)
                .and()
                .headers().frameOptions().disable() // 防止报Refused to display in a frame because it set 'X-Frame-Options' to 'DENY'错误
                .and()
                .csrf().disable();
    }
```



Vulnerability exploitation:
http://localhost:8080/manager/index
superadmin/123
Click to edit

Input：

```
当前密码: 123
新密码: admin123
确认新密码: admin123
```



Click to modify now

<img width="1920" height="1020" alt="Image" src="https://github.com/user-attachments/assets/1dcdbe25-becf-47ea-a71d-7a3027c35008" />

Corresponding data packet:

```
POST /manager/editPassword HTTP/1.1
Host: localhost:8080
Content-Length: 53
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua: "Not.A/Brand";v="99", "Chromium";v="136"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/manager/password
Accept-Encoding: gzip, deflate, br
Cookie: JSESSIONID=927B6116C0986E8F8132E7EB30578BE1
Connection: keep-alive

password=123&newpassword=admin123&repassword=admin123
```



generator poc

<img width="830" height="786" alt="Image" src="https://github.com/user-attachments/assets/e79ab4f9-c6ad-4d3b-8db2-bdedeb3bf9a1" />

attack

<img width="1919" height="958" alt="Image" src="https://github.com/user-attachments/assets/8319ca85-da8c-4297-ac3e-17db40ce6781" />

click submit request

<img width="1919" height="889" alt="Image" src="https://github.com/user-attachments/assets/3b1b3988-8fae-43c3-bf15-5465781c69fa" />

<img width="1919" height="1023" alt="Image" src="https://github.com/user-attachments/assets/41e9c00a-a6e6-4070-b1ae-c20a1cd0adeb" />

When I entered the account and password as "superadmin/123", I found that the login failed.The account password has been modified by the attacker.

<img width="632" height="484" alt="Image" src="https://github.com/user-attachments/assets/c562691f-15bb-4452-b7a6-e6bfa3e3fe9d" />

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

manager-system 2.0.1 has a CSRF #8

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

manager-system 2.0.1 has a CSRF #8

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions