乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-12-22: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-03-22: 厂商已经主动忽略漏洞,细节向公众公开
找回密码设计缺陷,导致可重置任意用户密码。
file:member/include/member.class.php
function getpwd($username,$email) { global $DAYU,$memlang; if(!$username || !$email || !is_email($email) || !is_username($username)) { $this->msg = $memlang['getpwd-user-noexists']; return false; } $userinfo=$this->get($this->get_userid($username)); if(!$userinfo) { $this->msg = $memlang['getpwd-username-noexists']; return false; } if($userinfo['email']!=$email) { $this->msg = $memlang['getpwd-username-email']; return false; } /* 设置新密码 */ $newpwd=mt_rand(100000,999999); $this->set($userinfo['id'], array('password'=>PWD($newpwd))); require_once(DAYU_ROOT.'include/email.class.php'); $sendemail=new email(); $sendemail->send($userinfo['email'], $DAYU['site_name'].'找回密码操作',$userinfo['username'].',您好,您的新密码已经重新设置为: '.$newpwd.', 请尽快登录会员中心修改密码! <a href="'.$DAYU['site_url'].'/member/index.php?file=login&action=login">点此登录!</a>',MAIL_USER); include DAYU_ROOT.'include/sms.class.php'; $sendsms=new sms(); $sendsms->sendSMS($userinfo['telephone'],$userinfo['username'].',您好,您的新密码已经重新设置为: '.$newpwd.', 请尽快登录会员中心修改密码! -'.$DAYU['site_name']); return true; }
$newpwd=mt_rand(100000,999999);找回用户密码:填写用户名&邮箱。会生成一个6位数数字密码。然后暴力破解:
case 'login': if($_userid) { header('location:index.php'); exit(); } if(isset($do_submit) && $do_submit) { $forwardurl=isset($forwardurl)?$forwardurl:get_cookie('http_referer'); $forwardurl=strpos(strtolower($forwardurl),'&action=logout')?'':$forwardurl; $url=$forwardurl?$forwardurl:(getpreurl()?getpreurl():$DAYU['site_url'].'member/index.php'); if(LOGIN_CHECKCODE_ENABLED && ($_SESSION['checkcode']!=$chkcode || !$_SESSION['checkcode'])) { showmsg($memlang['err-checkcode']); } if(UC) { $action = 'login'; require dirname(__FILE__).'/api/passport_server_ucenter.php'; $member->edit_password_username($username, $password); } else { $code=''; } $userinfo=$member->login($username,$password,$cookietime); if(!$userinfo) { showmsg($member->msg); } else { $_userid=$userinfo['id']; $modelid=$userinfo['modelid']; unset($_SESSION['checkcode']); set_cookie('http_referer',''); showmsg($memlang['login-ok'].$code,$url); } } $http_referer=isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER'] ?$_SERVER['HTTP_REFERER']:''; if(substr($http_referer,0,strlen(SITE_URL))!=SITE_URL || strpos($http_referer,'&action=logout')) { $http_referer=''; } set_cookie('http_referer',$http_referer); $ischeckcode=LOGIN_CHECKCODE_ENABLED?true:false; include member_tlp('login'); break;
其中只判断了验证码是否正确,正确则执行登陆,错误则弹出错误,没有重置验证码。那么我们可以一次验证码多次使用。
成功破解密码。
1.重置生成的密码设置复杂些。2.验证码使用后要重置验证码。
未能联系到厂商或者厂商积极拒绝