China Railway Express's wonderful way to reset any user password (admin user demonstration)

Source: Internet
Author: User

China Railway Express's wonderful way to reset any user password (admin user demonstration)

I just saw a leak of 12306 million users, so I visited the China Railway Express's website by the way. The design of multiple sites was unreasonable and the password retrieval function was not available.

Detailed description:

Http://www.95572.com/jsp/ywbl/zc.jsp

When registering a user, if you enter the user name first, check whether the user name exists after you move the mouse away. However, if you leave the user name with the last input, for example, enter an existing User Name admin, after you move the mouse away from the input box and click the submit button, although the user name existence check is performed, the form is still submitted. At this time, we will find that we have logged in with the admin user. At this time, the user's password is changed to the password we previously filled in, but all the information of the original user has not changed, that is to say, we have obtained the user information, such as name, ID card, and mobile phone number.

At this time, we can also use a modified user to log on to the website of China Railway Express connect mall. We can also see some user information on the website of the mall. If you see the user's courier information, you will not know the possibility of using it to cut the ticket.

Proof of vulnerability:

You can practice it on your own, but I found a problem. On the website login page, there is no way to retrieve the password. Poor admin user. If the admin user is tested, please remember to send a message to his mobile phone and tell him the new password.



In another case, on the user information page and the password modification page, we can see the Table Name of the database through the page source code,

<form name='form1' method='post' action='grzx_submit.jsp'   target="grsubmit"  onsubmit='return doValidate(form1)'>
<input name='_tablename' type='hidden' value='p_cremember'>
<input name="_action" type="hidden" value="update">
<input name="_pkfield" type="hidden" value="U_ID">
<input type="hidden" name="U_ID" value="admin" >....





This is part of the source code on the page. We can see that the table name is p_cremember and the table's primary key is U_ID. If the website has the SQL injection vulnerability, all user information may be displayed.

Solution:

At least modify the registered vulnerability. Check the vulnerability in the background.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.