#ucms ##1.1 Ucms version 1.47, download address http://uuu.la/
Debugging to 15 lines of code, this place is the place to get the user name.
Follow up to 56 lines, find that 56 lines of code knowledge simply judge whether the value in cookie is set and not empty, and then directly assign the admin_cookiehash in cookie to username. It can be seen that this place is the cause of the vulnerability, without verifying the legitimacy of the user. Follow up
Thirty-three lines of code execute updating the user's information in the database, and here you just use where directly with username. Then you can successfully modify the password of admin.
View database discovery password has been modified to abab
Verify login, password has been reset to abab,In this way, we succeeded in modifying the password of admin successfully from the common user test.