MetInfo4.0任意用户密码修改(包括管理员)漏洞分析

查看执行的语句

MetInfo4.0任意用户密码修改(包括管理员)漏洞分析_第1张图片
用户注册与更新密码执行的语句

INSERT INTO met40_admin_table SET
                      admin_id           = 'user',
                      admin_pass         = '5cc32e366c**************5f57d64',
       admin_tel          = '',
       admin_email        = '[email protected]',
       admin_modify_ip    = '192.168.1.112',
       admin_register_date= '2020-11-17 14:03:44',
       usertype    = '1',
       companyname   = 'user',
       companyaddress     = '',
       companyfax      = '',
       companycode      = '',
       companywebsite     = '',
       lang               = 'cn',
       checkid            = '1'
---------------------------------------
update met40_admin_table SET
       admin_id           = 'user',
       admin_name         = '',
       admin_sex          = '1',
       admin_tel          = '',
       admin_modify_ip    = '192.168.1.112',
       admin_mobile       = '',
       admin_email        = '[email protected]',
       admin_qq           = '',
       admin_msn          = '',
       admin_taobao       = '',
       admin_introduction = '',
       admin_modify_date  = '2020-11-17 14:06:32',
       companyname   = 'user',
       companyaddress     = '',
       companyfax      = '',
       companycode      = '',
       companywebsite     = '', admin_pass         = '5cc32e366c**************5f57d64'  where admin_id='user'

PHP文件


// member/save.php
if($action=="editor"){
$query = "update $met_admin_table SET
                      admin_id           = '$useid',
					  admin_name         = '$realname',
					  admin_sex          = '$sex',
					  admin_tel          = '$tel',
					  admin_modify_ip    = '$m_user_ip',
					  admin_mobile       = '$mobile',
					  admin_email        = '$email',
					  admin_qq           = '$qq',
					  admin_msn          = '$msn',
					  admin_taobao       = '$taobao',
					  admin_introduction = '$admin_introduction',
					  admin_modify_date  = '$m_now_date',
					  companyname		 = '$companyname',
					  companyaddress     = '$companyaddress',
					  companyfax	     = '$companyfax',
					  companycode	     = '$companycode',
					  companywebsite     = '$companywebsite'";

if($pass1){
$pass1=md5($pass1);
$query .=", admin_pass         = '$pass1'";
}
$query .="  where admin_id='$useid'";
$db->query($query);
okinfo('basic.php?lang='.$lang,$lang_js21);
}
?>

MetInfo4.0任意用户密码修改(包括管理员)漏洞分析_第2张图片

当用户修改基本信息的时候,用Burp抓包,发现修改$userid后可以直接修改其他用户的密码,如下图所示直接修改了管理员的密码。

MetInfo4.0任意用户密码修改(包括管理员)漏洞分析_第3张图片

你可能感兴趣的:(代码审计,代码审计)