xxl-api v1.3.0及以下版本,增加、删除、修改等接口允许使用get方式请求,存在跨站请求伪造漏洞,以下仅展示用户管理模块中新增用户的接口的漏洞利用,其余接口均可参照此步骤复现(In xxl-api v1.3.0 and earlier versions, interfaces for adding, deleting, and modifying allow GET requests, which leads to cross-site request forgery vulnerabilities. The following only demonstrates the vulnerability exploitation of the interface for adding new users in the user management module. The same steps can be followed to reproduce the vulnerabilities in other interfaces.)
拉起最新的代码,本地部署运行。(Pull up the latest code and run it on-premises.)
使用burp代理用户管理模块新增用户的请求,并将该请求方法修改为get方法。(Use the burp proxy user management module to add a user's request and modify the request method to the get method.)
使用burp工具生成csrf的poc(Use the burp tool to generate a POC for CSRF)
在同一个浏览器内,访问Poc的链接(Within the same browser, access the link to the Poc)
查看用户管理模块,发现已新增账号名称为testcsrf的用户(Check the User Management module and find that the user with the account name testcsrf has been added)
接口中使用@RequestMapping注解,且未指定具体的请求方法,导致攻击者可使用get方法来调用接口(In the interface, the @RequestMapping annotation is used without specifying a specific request method, which allows attackers to invoke the interface using the GET method.)
https://github.com/xuxueli/xxl-api
xxl-api ≤ v1.3.0