Two arbitrary user password vulnerabilities in phpyun

app/controller/forgetpwd/index.class.php

function send_action(){
    
    

        $username=yun_iconv("utf-8","gbk",$_POST['username']);

        if(!$this->CheckRegUser($username)&&!$this->CheckRegEmail($username)){
    
    

            $res['msg']=yun_iconv("gbk","utf-8","用户名不符合规范！");

            $res['type']='8';

            echo json_encode($res);die;

        }

        $M=$this->MODEL("userinfo");

        $where=array("`username`='".$username."' or `email`='".$username."' or `moblie`='".$username."'");

        $info=$M->GetMemberOne($where,array("field"=>"`uid`,`username`,`email`,`moblie`"));



        if($info['uid']){
    
    

            $sendcode=rand(100000,999999);//这里从这个范围里随机抽取一个数字来 生成token 来验证 数字还挺大的 然而并没有什么卵用。

            setcookie("moblie_code",$sendcode,time()+120, "/");//我擦 这是什么意思。。 为什么要把生成的token给我。。。

            if($_POST['sendtype']=='email'){
    
    

                if(!($this->config['sy_smtpserver']!="" && $this->config['sy_smtpemail']!="" && $this->config['sy_smtpuser']!="")){
    
    

                    $res['msg']=yun_iconv("gbk","utf-8","还没有配置邮箱，请联系管理员！");

                    $res['type']='8';

                    echo json_encode($res);die;

                }elseif($this->config['sy_email_getpass']=="2"){
    
    

                    $res['msg']=yun_iconv("gbk","utf-8","网站未开启邮件找回密码！");

                    $res['type']='8';

                    echo json_encode($res);die;

                }

            }else{
    
    

                if(!$this->config["sy_msguser"] || !$this->config["sy_msgpw"] || !$this->config["sy_msgkey"]){
    
    

                    $res['msg']=yun_iconv("gbk","utf-8","还没有配置短信，请联系管理员！");

                    $res['type']='8';

                    echo json_encode($res);die;

                }elseif($this->config['sy_msg_getpass']=="2"){
    
    

                    $res['msg']=yun_iconv("gbk","utf-8","网站未开启短信找回密码！");

                    $res['type']='8';

                    echo json_encode($res);die;

                }

            }

            $fdata=$this->forsend(array('uid'=>$info['uid'],'usertype'=>$info['usertype']));

            $data['uid']=$info['uid'];

            $data['username']=$info['username'];

            $data['name']=$fdata['name'];

            $data['type']="getpass";

            if($_POST['sendtype']=='email'){
    
    

                $data['email']=$info['email'];

            }else{
    
    

                $data['moblie']=$info['moblie'];

            }

            $data['sendcode']=$sendcode;

            $data['date']=date("Y-m-d");

            $status=$this->send_msg_email($data);

            if($_POST['sendtype']=='email'){
    
    

                $check=$info['email'];

            }else{
    
    

                $check=$info['moblie'];

            }

            $cert=$M->GetCompanyCert(array("uid"=>$info['uid'],"type"=>"5","check"=>$check),array("field"=>"`uid`,`check2`,`ctime`,`id`"));

            if($cert){
    
    

                $M->UpdateCompanyCert(array("check2"=>$sendcode,"ctime"=>time()),array("id"=>$cert['id']));

            }else{
    
    

                $M->AddCompanyCert(array('type'=>'5','status'=>0,'uid'=>$info['uid'],'check2'=>$sendcode,'check'=>$check,'ctime'=>time()));

            }

            if($_POST['sendtype']=='email'){
    
    

                $res['msg']=iconv("gbk","utf-8",'验证码邮件发送成功！');

            }else{
    
    

                $res['msg']=iconv("gbk","utf-8",'验证码短信'.$status);

                if($status!="发送成功!"){
    
    

                    $res['type']='8';

                    echo json_encode($res);die;

                }

            }

            $res['type']='1';

            $res['uid']=$info['uid'];

            $res['username']=$this->half_replace(yun_iconv("gbk","utf-8",$info['username']),'GBK');

            $res['email']=$this->half_replace($info['email']);

            $res['moblie']=$this->half_replace($info['moblie']);

            echo json_encode($res);die;

        }else{
    
    

            $res['type']='2';

            echo json_encode($res);die;

        }

    }

See notes for analysis.

Test it directly with a demo.

…

I registered an account xiaoyu myself

http://.../index.php?m=forgetpw

Then enter xiaoyu

GET /index.php?m=forgetpw HTTP/1.1

Host: **.**.**.**

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Proxy-Connection: keep-alive

Referer: http://**.**.**.**/index.php?m=login

Cookie: CNZZDATA3860868=cnzz_eid%3D728936302-1434163605-%26ntime%3D1434169820; safedog-flow-item=E8B28CBFB51FE7D89532C87629CB95F8; PHPSESSID=o3tg919m4gma3vq3mh6is5ce54; moblie_code=567221

Cache-Control: max-age=0

moblie_code=567221

okay.

Second place

The other is the password recovery file on the phone page

\app\controller\wap\forgetpw.class.php

function send_action(){
    
    

        $username=yun_iconv("utf-8","gbk",$_POST['username']);

        if(!$this->CheckRegUser($username)&&!$this->CheckRegEmail($username)){
    
    

            $res['msg']=yun_iconv("gbk","utf-8","用户名不符合规范！");

            $res['type']='8';

            echo json_encode($res);die;

        }

        $M=$this->MODEL("userinfo");

        $where=array("`username`='".$username."' or `email`='".$username."' or `moblie`='".$username."'");

        $info=$M->GetMemberOne($where,array("field"=>"`uid`,`username`,`email`,`moblie`"));



        if($info['uid']){
    
    

            $sendcode=rand(100000,999999);

            setcookie("moblie_code",$sendcode,time()+120, "/");

I won’t talk about the same problem as the password recovery of pc files. .

the same.