### 简要描述: EasyTalk 提升用户为管理员漏洞 ### 详细说明: 在用户基本信息修改处,存在设计缺陷,导致EasyTalk提升自己为管理员,而且还能无限增加自己的粉丝等啊! 来看看漏洞所在文件: /Home/Lib/Action/SettingAction.class.php ``` //保存设置 public function doset() { $user=M('Users'); $data=array(); $userdata=$_POST['user']; $userdata['nickname']= daddslashes(clean_html(trim($userdata["nickname"]))); $userdata['provinceid']=intval($userdata['provinceid']); $userdata['cityid']=intval($userdata['cityid']); $userdata['user_info']= daddslashes(trim(htmlspecialchars($userdata['user_info']))); if(!preg_match('/^[0-9a-zA-Z\xe0-\xef\x80-\xbf_-]+$/i',$userdata['nickname'])) { echo json_encode(array('res'=>'error','tips'=>L('setting2'))); exit; } if (!$userdata['nickname'] || !$userdata['provinceid'] || !$userdata['cityid']) { echo json_encode(array('res'=>'error','tips'=>L('setting1'))); exit; } if ($userdata['qq'] && !is_numeric($userdata['qq'])) { echo json_encode(array('res'=>'error','tips'=>L('qqiserror'))); exit; } if ($userdata['msn'] &&...
### 简要描述: EasyTalk 提升用户为管理员漏洞 ### 详细说明: 在用户基本信息修改处,存在设计缺陷,导致EasyTalk提升自己为管理员,而且还能无限增加自己的粉丝等啊! 来看看漏洞所在文件: /Home/Lib/Action/SettingAction.class.php ``` //保存设置 public function doset() { $user=M('Users'); $data=array(); $userdata=$_POST['user']; $userdata['nickname']= daddslashes(clean_html(trim($userdata["nickname"]))); $userdata['provinceid']=intval($userdata['provinceid']); $userdata['cityid']=intval($userdata['cityid']); $userdata['user_info']= daddslashes(trim(htmlspecialchars($userdata['user_info']))); if(!preg_match('/^[0-9a-zA-Z\xe0-\xef\x80-\xbf_-]+$/i',$userdata['nickname'])) { echo json_encode(array('res'=>'error','tips'=>L('setting2'))); exit; } if (!$userdata['nickname'] || !$userdata['provinceid'] || !$userdata['cityid']) { echo json_encode(array('res'=>'error','tips'=>L('setting1'))); exit; } if ($userdata['qq'] && !is_numeric($userdata['qq'])) { echo json_encode(array('res'=>'error','tips'=>L('qqiserror'))); exit; } if ($userdata['msn'] && count(explode('@',$userdata['msn']))==1) { echo json_encode(array('res'=>'error','tips'=>L('msniserror'))); exit; } //昵称检测 if ($userdata['nickname'] && $userdata['nickname']!=$this->my['nickname']) { if (StrLenW($userdata['nickname'])<=12 && StrLenW($userdata['nickname'])>=3) { $newnickname=$user->where("nickname='$userdata[nickname]'")->find(); if ($newnickname) { echo json_encode(array('res'=>'error','tips'=>L('setting4'))); exit; } else { M('Atusers')->where("atuname='".$this->my['user_name']."'")->setField('atnickname',$userdata['nickname']); } } else { echo json_encode(array('res'=>'error','tips'=>L('setting2'))); exit; } } $user->where("user_id='".$this->my['user_id']."'")->data($userdata)->save(); $this->finishprofile(); echo json_encode(array('res'=>'success','tips'=>L('setting3'))); } ``` 这里只是通过循环接收数字中的数据的,没有进行限制,所以我们可以任意添加字段及内容。 ### 漏洞证明: 来看看新注册的用户的信息: [<img src="https://images.seebug.org/upload/201402/18110238080a61277054e2374c6f173dcd1410f2.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/18110238080a61277054e2374c6f173dcd1410f2.png) 我们来设置新注册用户222222的基本信息,我们添加了两个字段isadmin和followme_num。 构造如下: [<img src="https://images.seebug.org/upload/201402/18110638846df48d2d60d5706bfa0560c0b3b03d.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/18110638846df48d2d60d5706bfa0560c0b3b03d.png) 返回success,说明修改成功啦。 来看看用户222222的信息: [<img src="https://images.seebug.org/upload/201402/181108168d9a98c24e89779f738826926f8bb0ca.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/181108168d9a98c24e89779f738826926f8bb0ca.png) 此时新注册用户222222已经是管理员了,粉丝数已经被修改了。 [<img src="https://images.seebug.org/upload/201402/181110486338d784f1c1ee0612b7f499ee0922b6.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201402/181110486338d784f1c1ee0612b7f499ee0922b6.png)
