Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
59 lines (31 sloc) 2.32 KB

#ucms ##1.1 Ucms version 1.47, download address

##1.2 After downloading, build your own local web environment.Create management admin password is 123456 image

##1.3 Login the background system with admin and add a background user test. image

Use test account login background, password 654321 image

Using test user login to enter their personal information modification interface, test is a background user. image

The input password is abab and debugged using Phpstorm.In the if of the mypost.php file, the breakpoint is seen, and we see the value we transmitted in cookie. image image

Now we change the test to admin, and continue to follow up. image image

Debugging to 15 lines of code, this place is the place to get the user name.

image Follow up to 56 lines, find that 56 lines of code knowledge simply judge whether the value in cookie is set and not empty, and then directly assign the admin_cookiehash in cookie to username. It can be seen that this place is the cause of the vulnerability, without verifying the legitimacy of the user. Follow up

image image

Found that the return value is admin. Continue to follow up. image

Thirty-three lines of code execute updating the user's information in the database, and here you just use where directly with username. Then you can successfully modify the password of admin.


View database discovery password has been modified to abab


Verify login, password has been reset to abab,In this way, we succeeded in modifying the password of admin successfully from the common user test.