China Railway Express's wonderful way to reset any user password (admin user demonstration)

China Railway Express's wonderful way to reset any user password (admin user demonstration)

I just saw a leak of 12306 million users, so I visited the China Railway Express's website by the way. The design of multiple sites was unreasonable and the password retrieval function was not available.

Detailed description:

Http://www.95572.com/jsp/ywbl/zc.jsp

When registering a user, if you enter the user name first, check whether the user name exists after you move the mouse away. However, if you leave the user name with the last input, for example, enter an existing User Name admin, after you move the mouse away from the input box and click the submit button, although the user name existence check is performed, the form is still submitted. At this time, we will find that we have logged in with the admin user. At this time, the user's password is changed to the password we previously filled in, but all the information of the original user has not changed, that is to say, we have obtained the user information, such as name, ID card, and mobile phone number.

At this time, we can also use a modified user to log on to the website of China Railway Express connect mall. We can also see some user information on the website of the mall. If you see the user's courier information, you will not know the possibility of using it to cut the ticket.

Proof of vulnerability:

You can practice it on your own, but I found a problem. On the website login page, there is no way to retrieve the password. Poor admin user. If the admin user is tested, please remember to send a message to his mobile phone and tell him the new password.

In another case, on the user information page and the password modification page, we can see the Table Name of the database through the page source code,

<form name='form1' method='post' action='grzx_submit.jsp'   target="grsubmit"  onsubmit='return doValidate(form1)'>
                  <input name='_tablename' type='hidden' value='p_cremember'>
                  <input name="_action" type="hidden" value="update">
                  <input name="_pkfield" type="hidden" value="U_ID">
                  <input type="hidden" name="U_ID" value="admin" >....

This is part of the source code on the page. We can see that the table name is p_cremember and the table's primary key is U_ID. If the website has the SQL injection vulnerability, all user information may be displayed.

Solution:

At least modify the registered vulnerability. Check the vulnerability in the background.