New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

74cms/Horizontal ultra vires #2

Open
coolboy0816 opened this Issue Dec 26, 2018 · 0 comments

Comments

Projects
None yet
1 participant
@coolboy0816
Copy link
Owner

coolboy0816 commented Dec 26, 2018

First, register a user, create a resume, and then modify the job search intention, which can lead to the modification of any person and disclosure of personal information.
Vulnerability proof:
1
Only checking the existence of resumes does not check the operation of user privileges.C ('visitor') returns the current user:
2
Through Method D:
3
Call the save_resume method in resumemodel. class. php, as shown in the following figure:
4
The method for updating resume calls is shown in the following figure:
5
Follow up the save method and put the current data object as shown in the following figure:
6
Firstly, the data in $data will be filtered to remove special symbols, then enter to determine whether there is a primary key, update the data according to the primary key, and enter the update method, as shown in the following figure:
7
Since the above-mentioned user operations are not checked, after updating, users can change their job-seeking intention to any user (pid), update the changed data to the user page through update_user_info to access and modify any user information. Any user information can be obtained through $pid, as shown in the following figure:
8
Implementation steps,Step 1: Create an account
9
Step 2: Improve your resume as required
10
Step 3: Click to modify your intention to apply for a job
11
Step 4: Grab the package and modify the value of PID
12
Post-attack screenshots:
13
You can traverse the value of PID to get the personal information of all users and download your resume (because the original user's mobile phone number will be updated when updating due to the use of registration as a mobile phone number)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment