### 简要描述: mcms手机建站之星任意用户信息(包括密码)修改,可惜不能改管理员。 ### 详细说明: 文件 plugin/gov.user/index.php 188行 ``` function m__edit() { global $dbm; $params = array(); if (!is_numeric($_POST['user_id'])) die('{"code":"210","msg":"会员UID必须是数字"}'); // 验证会员信息是否合法 if (empty($_POST['uname'])) die('{"code":"210","msg":"会员名不能为空"}'); //if (empty($_POST['pro'])) die('{"code":"200","msg":"请选择所在的省份"}'); //if (empty($_POST['city'])) die('{"code":"201","msg":"请选择所在的城市"}'); //$rules = "/\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/"; //if (trim($_POST['uemail']) != '' && !preg_match($rules, $_POST['uemail'])) die('{"code":"270","msg":"请正确填写邮箱格式!"}'); $params['uname'] = $_POST['uname']; $params['uemail'] = isset($_POST['uemail']) && $_POST['uemail']!= '' ? $_POST['uemail'] : ''; $params['uphone'] = isset($_POST['uphone']) && trim($_POST['uphone']) != '' ? trim($_POST['uphone']) : ''; $params['uqq'] = isset($_POST['uqq']) && trim($_POST['uqq']) != '' ? trim($_POST['uqq']) : ''; /*$params['motto'] =...
### 简要描述: mcms手机建站之星任意用户信息(包括密码)修改,可惜不能改管理员。 ### 详细说明: 文件 plugin/gov.user/index.php 188行 ``` function m__edit() { global $dbm; $params = array(); if (!is_numeric($_POST['user_id'])) die('{"code":"210","msg":"会员UID必须是数字"}'); // 验证会员信息是否合法 if (empty($_POST['uname'])) die('{"code":"210","msg":"会员名不能为空"}'); //if (empty($_POST['pro'])) die('{"code":"200","msg":"请选择所在的省份"}'); //if (empty($_POST['city'])) die('{"code":"201","msg":"请选择所在的城市"}'); //$rules = "/\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/"; //if (trim($_POST['uemail']) != '' && !preg_match($rules, $_POST['uemail'])) die('{"code":"270","msg":"请正确填写邮箱格式!"}'); $params['uname'] = $_POST['uname']; $params['uemail'] = isset($_POST['uemail']) && $_POST['uemail']!= '' ? $_POST['uemail'] : ''; $params['uphone'] = isset($_POST['uphone']) && trim($_POST['uphone']) != '' ? trim($_POST['uphone']) : ''; $params['uqq'] = isset($_POST['uqq']) && trim($_POST['uqq']) != '' ? trim($_POST['uqq']) : ''; /*$params['motto'] = isset($_POST['motto']) && !empty($_POST['motto']) ? htmlspecialchars($_POST['motto']) : '';*/ if (intval($_POST['user_id']) > 0) { if (isset($_POST['upass']) && $_POST['upass'] != '') { if (strlen($_POST['upass']) < 5 || strlen($_POST['upass']) > 20) { die('{"code":"280","msg":"密码不符合要求,必须5到20字符"}'); } if ($_POST['upass'] != $_POST['re_pass']) die('{"code":"270","msg":"两次密码不一致"}'); $params['upass'] = helper :: password_encrypt($_POST['upass']); } $where = " user_id ='" . $_POST['user_id'] . "'"; $res = $dbm -> single_update(TB_PREFIX . "user_list", $params, $where); if (empty($res['error'])) { die('{"code":"0","msg":"更新会员资料成功"}'); } die('{"code":"280","msg":"更新会员资料失败,请核实后再添加"}'); } } ``` m__edit函数,没有进行权限检查,导致能够修改任何用户信息。用户的user_id通过POST传来。想改哪个用户信息,直接写它的user_id即可。 可惜的是,管理员用户不在用户表中,所以没法修改管理员信息。 ### 漏洞证明: 首先我注册了两个用户,见数据库: [<img src="https://images.seebug.org/upload/201405/10184821300192fe62468cd213aa1928b33e16a7.jpg" alt="09.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10184821300192fe62468cd213aa1928b33e16a7.jpg) 登录其中的654321: [<img src="https://images.seebug.org/upload/201405/101848468e2c61cd5f22654871efa036dfbd4d0e.jpg" alt="08.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/101848468e2c61cd5f22654871efa036dfbd4d0e.jpg) 向plugins/gov.user/index.php?tpl=ucenter&m=edit提交数据包,修改user_id=1的用户的信息(用户名和密码): [<img src="https://images.seebug.org/upload/201405/10184937b826e4198e00137841a532991b12a3f5.jpg" alt="10.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10184937b826e4198e00137841a532991b12a3f5.jpg) 如上图,提示修改成功。 我们再来到数据库,就能看到user_id=1的用户信息已经变了: [<img src="https://images.seebug.org/upload/201405/10185016477ffd5d6eb67dcd11c25a2adc35d4d6.jpg" alt="11.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/10185016477ffd5d6eb67dcd11c25a2adc35d4d6.jpg)
