#ucms ##1.1 Ucms version 1.47, download address http://uuu.la/
##1.2 After downloading, build your own local web environment.Create management admin password is 123456
##1.3 Login the background system with admin and add a background user test.
Use test account login background, password 654321
Using test user login to enter their personal information modification interface, test is a background user.
The input password is abab and debugged using Phpstorm.In the if of the mypost.php file, the breakpoint is seen, and we see the value we transmitted in cookie.
Now we change the test to admin, and continue to follow up.
Debugging to 15 lines of code, this place is the place to get the user name.
Follow up to 56 lines, find that 56 lines of code knowledge simply judge whether the value in cookie is set and not empty, and then directly assign the admin_cookiehash in cookie to username. It can be seen that this place is the cause of the vulnerability, without verifying the legitimacy of the user. Follow up
Found that the return value is admin. Continue to follow up.
Thirty-three lines of code execute updating the user's information in the database, and here you just use where directly with username. Then you can successfully modify the password of admin.
View database discovery password has been modified to abab
Verify login, password has been reset to abab,In this way, we succeeded in modifying the password of admin successfully from the common user test.