白盒审计---seacms找回密码任意用户替换

本文链接：https://blog.csdn.net/m0_68444832/article/details/132522759

影响版本v7.2

漏洞复现：

注册用户，点击找回密码功能，认证成功后有重置密码响应链接

重置密码链接

注意到其有检验码，但是这个cms存在漏洞，即初始校验码默认为y，所以我们将校验码改为y，username改为yhy2，发现成功修改

http://localhost/member.php?mod=repsw3&repswcode=y&repswname=yhy2

从代码的角度看的话，注意到找回密码的源代码中并不是单纯根据用户名来修改密码，存在认证机制，但是认证机制存在漏洞

/upload/member.php

if($mod=='repsw3'){
	require_once('data/admin/smtp.php');
	if($smtppsw=='off'){showMsg("抱歉，系统已关闭密码找回功能！","index.php",0,100000);exit();}
	
	$repswname=$_GET['repswname'];
	$repswcode=$_GET['repswcode'];//这里对比检验码
	
	if(empty($repswname) OR $repswname==""){showMsg("授权码错误或已过期！","index.php",0,100000);exit();}
	if(empty($repswcode) OR $repswcode==""){showMsg("授权码错误或已过期！","index.php",0,100000);exit();}
	
	$row=$dsql->GetOne("select * from sea_member where username='$repswname'");
	$repswcode2=$row['repswcode'];

	if($repswcode != $repswcode2){showMsg("授权码错误或已过期！","index.php",0,100000);exit();}
	echo <<<EOT
	        
<body>
	<div class="hy-head-menu">
		<div class="container">
		    <div class="row">
			  	<div class="item">
				    <div class="logo hidden-xs">
						<a class="hidden-sm hidden-xs" href="index.php"><img src="pic/member/logo.png" /></a>
			  			<a class="visible-sm visible-xs" href="index.php"><img src="pic/member/logo_min.png" /></a>											  
					</div>						
					<div class="search hidden-xs"> 
				        <form name="formsearch" id="formsearch" action='search.php' method="post" autocomplete="off">																			
							<input class="form-control" placeholder="输入影片关键词..." name="searchword" type="text" id="keyword" required="">
							<input type="submit" id="searchbutton" value="" class="hide">
							<a href="javascript:" class="btns" title="搜索" onClick="$('#formsearch').submit();"><i class="icon iconfont icon-search"></i></a>
						</form>
				    </div>			   
													 
			  	</div>							
		    </div>
		</div>
	</div>
	<div class="container">
	    <div class="row">
	    	<div class="hy-member-user hy-layout clearfix">
    			<div class="item">
    				
    				<dl class="margin-0 clearfix">
    					<dt><span class="user"></span></dt>
    					<dd>
    						<span class="name">正在找回您的密码<span>
    						<span class="group">通过电子邮箱找回您的密码<span>
    					</dd>
    			   </dl>   				
    			</div>
	    	</div>	    	
		    <div class="hy-member hy-layout clearfix">
		    	
				
				<form action="?mod=repsw4" method="post"><li class="cckkey"><strong>会员账号：{$repswname}</strong><br><br>新密码：<br></span><input type="password" name="repswnew1" class="form-control" id="repswnew1" value="" style="width:250px;"><br>确认新密码：<br></span><input type="password" name="repswnew2" class="form-control" id="repswnew2" value="" style="width:250px;"> <br><input type="hidden" name="repswname" id="repswname" value="{$repswname}"><input type="hidden" name="repswcode" id="repswcode" value="{$repswcode}"><input type="submit" name="cckb" id="cckb" value="提交" class="btn btn-warning"></li></form>
		    	               
		    </div>

	    </div>
	</div>
	<div class="tabbar visible-xs">
<a href="/" class="item">返回首页</a>	
	</div>
	<div class="container">
		<div class="row">
			<div class="hy-footer clearfix">
				
				<p class="text-muted">Copyright ©{$year} {$_SERVER['HTTP_HOST']}</p>
			</div>
		</div>
	</div>	
</body>
EOT;
	exit();
}


而從注册界面的sql语句就可以知道，这里明显是再初始化用户时将其检验码设置成了y
$dsql->ExecuteNoneQuery("INSERT INTO `sea_member`(id,username,password,email,regtime,regip,state,gid,points,logincount,stime,vipendtime,acode,repswcode,msgstate)
                  VALUES ('','$username','$pwd','$email','$dtime','$ip','1','2','$regpoints','1','1533686888','$dtime','$acode','y','y')");

而從注册界面的sql语句就可以知道，这里明显是再初始化用户时将其检验码设置成了y

/upload/reg.php

$dsql->ExecuteNoneQuery("INSERT INTO `sea_member`(id,username,password,email,regtime,regip,state,gid,points,logincount,stime,vipendtime,acode,repswcode,msgstate)

                  VALUES ('','$username','$pwd','$email','$dtime','$ip','1','2','$regpoints','1','1533686888','$dtime','$acode','y','y')");