WordPress是一款免费的论坛Blog系统。 如果用户遗忘了口令并申请重置,首先要通过/wp-login.php?action=lostpassword表单提交邮件地址或用户名,然后Wordpress会发送类似于以下的确认邮件: " Someone has asked to reset the password for the following site and username. http://DOMAIN_NAME.TLD/wordpress Username: admin To reset your password visit the following address, otherwise just ignore this email and nothing will happen <a href="http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp &key=o7naCKN3OoeU2KJMMsag" target="_blank">http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp &key=o7naCKN3OoeU2KJMMsag " 用户点击链接后Wordpress会重置管理口令并通过另一封邮件发送新的凭据。 整个过程如下: wp-login.php: ...[snip].... 186行: function reset_password($key) { global $wpdb; $key = preg_replace('/[^a-z0-9]/i', '', $key); if ( empty( $key ) ) return new WP_Error('invalid_key', __('Invalid key')); $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key)); if ( empty( $user ) ) return new WP_Error('invalid_key', __('Invalid key')); ...[snip].......
WordPress是一款免费的论坛Blog系统。 如果用户遗忘了口令并申请重置,首先要通过/wp-login.php?action=lostpassword表单提交邮件地址或用户名,然后Wordpress会发送类似于以下的确认邮件: " Someone has asked to reset the password for the following site and username. http://DOMAIN_NAME.TLD/wordpress Username: admin To reset your password visit the following address, otherwise just ignore this email and nothing will happen <a href="http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp &key=o7naCKN3OoeU2KJMMsag" target="_blank">http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp &key=o7naCKN3OoeU2KJMMsag " 用户点击链接后Wordpress会重置管理口令并通过另一封邮件发送新的凭据。 整个过程如下: wp-login.php: ...[snip].... 186行: function reset_password($key) { global $wpdb; $key = preg_replace('/[^a-z0-9]/i', '', $key); if ( empty( $key ) ) return new WP_Error('invalid_key', __('Invalid key')); $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key)); if ( empty( $user ) ) return new WP_Error('invalid_key', __('Invalid key')); ...[snip].... 276行: $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login'; $errors = new WP_Error(); if ( isset($_GET['key']) ) $action = 'resetpass'; // validate action so as to default to the login screen if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) & & false === has_filter('login_form_' . $action) ) $action = 'login'; ...[snip].... 370行: break; case 'resetpass' : case 'rp' : $errors = reset_password($_GET['key']); if ( ! is_wp_error($errors) ) { wp_redirect('wp-login.php?checkemail=newpass'); exit(); } wp_redirect('wp-login.php?action=lostpassword &error=invalidkey'); exit(); break; ...[snip ]... 如果用户向$key变量提交了数组,就可以滥用口令重置功能绕过第一步,重置管理口令。
