Logic Flaw: Arbitrary Administrator Password Modification

[gtqbhksl]

漏洞标题

逻辑漏洞：任意管理员密码修改

---

漏洞类型

权限控制不当 / 越权操作 / 任意管理员密码修改

CWE 编号：

CWE-269: Improper Privilege Management

---

漏洞位置

app\admin\controller\Admin.php:edit()

---

漏洞描述

后台管理员编辑接口 Admin.php:edit() 存在权限控制缺陷。

该方法虽然对 id == 1 的超级管理员状态修改进行了限制，但没有对当前登录管理员是否有权限修改目标管理员进行有效校验。攻击者只要拥有普通管理员账号，即可通过构造请求修改其他管理员账号信息，包括超级管理员账号的密码。

由于接口直接信任请求中的 id、password、group_id 等参数，普通管理员可以将目标管理员 id 修改为超级管理员 ID，并提交新的密码，从而实现对超级管理员账号的密码重置。

该问题属于典型的后台越权逻辑漏洞，可导致普通管理员提升权限，甚至完全接管后台管理系统。

---

漏洞原因分析

edit() 方法中存在以下问题：

1. 仅限制了 id == 1 时不能修改状态；
2. 未校验当前管理员是否有权限编辑目标管理员；
3. 未限制普通管理员修改其他管理员账号；
4. 未限制普通管理员修改超级管理员账号；
5. 未对敏感字段进行权限分级控制，例如：
   • password
   • group_id
   • status
   • username
6. 服务端未根据当前登录用户角色进行对象级权限判断。

因此，普通管理员可以通过修改请求参数中的 id，实现对任意管理员账号的编辑操作。

---

影响范围

受影响接口：

POST /admin9423.php/Admin/edit

受影响功能：

后台管理员编辑功能

受影响账号：

所有管理员账号，包括超级管理员账号

---

漏洞复现 POC

使用普通管理员账号登录后台后，获取普通管理员的有效会话 Cookie。

随后构造如下请求，将 id 设置为超级管理员 ID，例如 id=1，并修改其密码。

POST /admin9423.php/Admin/edit HTTP/1.1
Host: target.com
Cookie: PHPSESSID=xxx
Content-Type: application/x-www-form-urlencoded

id=1&username=admin&password=Abc123456&group_id=1&nickname=%E9%BB%94%E7%8B%90%E7%A7%91%E6%8A%80&phone=4008883116&avatar=%2Fuploads%2Ffiles%2F20230311%2Fuser.jpg

---

复现结果

请求提交成功后，超级管理员账号密码被修改为：

Abc123456

随后可使用超级管理员账号和新密码登录后台，证明普通管理员可以越权修改超级管理员密码。

---

漏洞危害

攻击者利用该漏洞后，可能造成以下影响：

1. 普通管理员可修改任意管理员密码；
2. 普通管理员可重置超级管理员密码；
3. 攻击者可接管超级管理员账号；
4. 可进一步修改系统配置、用户数据、业务数据；
5. 可创建新的高权限账号；
6. 可删除、篡改后台关键数据；
7. 可结合文件上传、模板编辑等功能进一步获取服务器权限。

---

风险等级

建议风险等级：高危 / 严重

原因：

• 漏洞可导致普通管理员直接接管超级管理员账号；
• 影响后台核心权限体系；
• 利用条件较低，仅需普通管理员权限；
• 成功利用后可造成系统完全失陷。

---

---

Vulnerability Title

Logic Flaw: Arbitrary Administrator Password Modification

---

Vulnerability Type

Improper Privilege Management / Privilege Escalation / Unauthorized Administrator Password Modification

CWE:

CWE-269: Improper Privilege Management

---

Vulnerability Location

app\admin\controller\Admin.php:edit()

---

Vulnerability Description

The backend administrator edit function Admin.php:edit() contains an improper privilege management vulnerability.

Although the method restricts changing the status of the administrator account with id == 1, it does not properly verify whether the currently logged-in administrator has permission to modify the target administrator account.

As a result, a normal administrator can craft a request and modify other administrator accounts, including the super administrator account. By setting the target id to the super administrator ID and submitting a new password, the attacker can reset the super administrator’s password.

This is a typical backend privilege escalation vulnerability that may allow a low-privileged administrator to take over the entire admin panel.

---

Root Cause Analysis

The edit() method has the following security issues:

1. It only restricts status modification for id == 1;
2. It does not verify whether the current administrator can edit the target administrator;
3. It does not prevent normal administrators from modifying other administrators;
4. It does not prevent normal administrators from modifying the super administrator;
5. It does not apply permission checks to sensitive fields, such as:
   • password
   • group_id
   • status
   • username
6. It lacks server-side object-level authorization checks.

Therefore, a normal administrator can modify the id parameter in the request and edit arbitrary administrator accounts.

---

Affected Endpoint

POST /admin9423.php/Admin/edit

Affected feature:

Backend administrator edit function

Affected accounts:

All administrator accounts, including the super administrator account

---

Proof of Concept

Log in with a normal administrator account and obtain a valid session cookie.

Then send the following request and set id=1, which represents the super administrator account.

POST /admin9423.php/Admin/edit HTTP/1.1
Host: target.com
Cookie: PHPSESSID=xxx
Content-Type: application/x-www-form-urlencoded

id=1&username=admin&password=Abc123456&group_id=1&nickname=%E9%BB%94%E7%8B%90%E7%A7%91%E6%8A%80&phone=4008883116&avatar=%2Fuploads%2Ffiles%2F20230311%2Fuser.jpg

---

Result

After the request is submitted successfully, the password of the super administrator account is changed to:

Abc123456

The attacker can then log in to the backend using the super administrator account and the new password, confirming that a normal administrator can modify the super administrator’s password.

---

Impact

Successful exploitation may lead to:

1. Modification of arbitrary administrator passwords;
2. Resetting the super administrator password;
3. Complete takeover of the super administrator account;
4. Modification of system configuration and business data;
5. Creation of new high-privileged administrator accounts;
6. Deletion or tampering with critical backend data;
7. Further compromise of the server if combined with other backend functions such as file upload or template editing.

---

Severity

Recommended severity: High / Critical

Reasons:

• A normal administrator can take over the super administrator account;
• The vulnerability affects the core privilege management mechanism;
• Exploitation requires only a low-privileged administrator account;
• Successful exploitation may lead to full system compromise.

---