Reset any user account 2 and other unauthorized operations in the latest YiDacms version

Reset any user account 2 and other unauthorized operations in the latest YiDacms version

Reset any user account and other unauthorized operations in the latest YiDacms version

Yida CMS enterprise website construction system

The latest version is YidaCms X3.2 (20140718 ).



I have previously issued a password reset vulnerability, but I can only change it to a fixed password. It is troublesome to change it to any password, it is troublesome to use a 10-bit md5 plaintext password as the information password.

Here, we can directly enter any plaintext password to modify it.

Let's take a look at the source code:

File/Yidacms/user. asp

If request ("yidacms") = "password" Thenset rs = server. createobject ("adodb. recordset ") user_id1 = cint (request (" id ") SQL =" select * from shuaiweb_user WHERE id = "& user_id1 &" rs. open SQL, dbok, 1, 1if Request. form ("shuaiweb_userpass") = "" then response. write "<script language = javascript> alert ('the password cannot be blank! '); History. go (-1); </script> "response. endend ifif Request. form ("shuaiweb_userpass") <> Request. form ("shuaiweb_userpass2") then response. write "<script language = javascript> alert ('two passwords are different! '); History. go (-1); </script> "response. endend ifset rs = server. createobject ("adodb. recordset ") user_id2 = cint (request (" id ") SQL =" select * from shuaiweb_user WHERE id = "& user_id2 &" rs. open SQL, dbok, 1, 3rs ("shuaiweb_useremail") = filter_Str (trim (request. form ("shuaiweb_useremail") rs ("shuaiweb_userpass") = filter_Str (left (MD5 (trim (request. form ("shuaiweb_userpass"), 10) rs ("shuaiweb_username") = filter_Str (tri M (request. form ("shuaiweb_username") rs ("shuaiweb_usertel") = filter_Str (trim (request. form ("shuaiweb_usertel") rs ("shuaiweb_userqq") = filter_Str (trim (request. form ("shuaiweb_userqq") rs ("shuaiweb_usermsn") = filter_Str (trim (request. form ("shuaiweb_usermsn") rs ("shuaiweb_useraddress") = filter_Str (trim (request. form ("shuaiweb_useraddress") rs ("shuaiweb_userportrait") = filter_Str (trim (request. form ("shuaiwe B _userportrait ") rs (" shuaiweb_usernote ") = filter_Str (trim (request. form ("shuaiweb_usernote") rs ("shuaiweb_usernumber") = filter_Str (trim (request. form ("shuaiweb_usernumber") rs. updaters. closeset rs = nothingsession ("shuaiweb_useremail") = request. form ("shuaiweb_useremail") response. write "<script language = javascript> alert ('modification successful! '); Location. replace ('user _ pass. asp'); </script> "End If

Update the user information according to the obtained id.

The password for the information is obtained directly, and the old password is not judged. The password for the corresponding id and other information are directly modified.

In the same way, traverse the id to modify all user passwords.



Other unauthorized operations:

If request ("yidacms") = "buydel" Thenset rs = server. createobject ("adodb. recordset ") user_id3 = cint (request (" id ") SQL =" select * from shuaiweb_buy WHERE id = "& user_id3 &" rs. open SQL, dbok, 1, 1if rs ("shuaiweb_reading") = 1 thenresponse. write "<script language = javascript> alert ('shipping orders cannot be deleted! '); History. go (-1); </script> "response. end elseif (cint (request ("id") <> "") then id = cint (request ("id") set rs = server. createobject ("adodb. recordset ") user_id4 = cint (request (" id ") SQL =" DELETE * FROM shuaiweb_buy WHERE id = "& user_id4 &" rs. open SQL, dbok, 3, 2rs. updaters. closeset rs = nothingresponse. write "<script language = javascript> alert ('deleted successfully! '); Location. replace ('user _ buy. asp'); </script> "End Ifend if

This column also directly obtains the id and then deletes the order corresponding to the id

This results in unauthorized deletion of any user's order information.

First, let's take a look at the initial information of user id = 5. the login password is 222222.

 

Then log on to the attacker's account and modify the user information and password with id = 5:
 

The user name and password have been modified when the last login id = 5
 

Another order can also be changed. You only need to send a delete order request and modify the id to delete the order with this id.

Solution:

Modify and delete user information to determine user attributes