MetInfo4.0任意用户密码修改(包括管理员)漏洞分析
程序员文章站
2022-04-30 10:39:35
...
查看执行的语句
用户注册与更新密码执行的语句
INSERT INTO met40_admin_table SET
admin_id = 'user',
admin_pass = '5cc32e366c**************5f57d64',
admin_tel = '',
admin_email = 'aaa@qq.com',
admin_modify_ip = '192.168.1.112',
admin_register_date= '2020-11-17 14:03:44',
usertype = '1',
companyname = 'user',
companyaddress = '',
companyfax = '',
companycode = '',
companywebsite = '',
lang = 'cn',
checkid = '1'
---------------------------------------
update met40_admin_table SET
admin_id = 'user',
admin_name = '',
admin_sex = '1',
admin_tel = '',
admin_modify_ip = '192.168.1.112',
admin_mobile = '',
admin_email = 'aaa@qq.com',
admin_qq = '',
admin_msn = '',
admin_taobao = '',
admin_introduction = '',
admin_modify_date = '2020-11-17 14:06:32',
companyname = 'user',
companyaddress = '',
companyfax = '',
companycode = '',
companywebsite = '', admin_pass = '5cc32e366c**************5f57d64' where admin_id='user'
PHP文件
<?php
// member/save.php
if($action=="editor"){
$query = "update $met_admin_table SET
admin_id = '$useid',
admin_name = '$realname',
admin_sex = '$sex',
admin_tel = '$tel',
admin_modify_ip = '$m_user_ip',
admin_mobile = '$mobile',
admin_email = '$email',
admin_qq = '$qq',
admin_msn = '$msn',
admin_taobao = '$taobao',
admin_introduction = '$admin_introduction',
admin_modify_date = '$m_now_date',
companyname = '$companyname',
companyaddress = '$companyaddress',
companyfax = '$companyfax',
companycode = '$companycode',
companywebsite = '$companywebsite'";
if($pass1){
$pass1=md5($pass1);
$query .=", admin_pass = '$pass1'";
}
$query .=" where admin_id='$useid'";
$db->query($query);
okinfo('basic.php?lang='.$lang,$lang_js21);
}
?>
当用户修改基本信息的时候,用Burp抓包,发现修改$userid后可以直接修改其他用户的密码,如下图所示直接修改了管理员的密码。
上一篇: EDAS投稿系统格式检查
下一篇: waf绕过之——waf注入绕过