DeDeCMS v5.7 SP2 official version of the front desk arbitrary user password modification vulnerability reproduced
Required software:
- phpstudy
- burpsuite
To complete the recurrence of this vulnerability, we have to complete the following steps.
1. Build a website
If you want to reproduce the vulnerability, you first need to build a good environment. The first step is to ask us to build this vulnerable website.
First download the code of the web page: DeDeCMSV5.7SP2 official version (2018-01-09)
and then we can Use some tools for building a website to build this website. The tool I use is phpstudy. The specific building steps are as follows:
- Will download the official version of DeDeCMSV5.7SP2 (2018-01-09) Open:
select the uoloads folder and copy it to the WWW directory under the phpstudy installation directory:
then open phpstudy, find the website option in the left option bar and click, then click Create a website and start setting up a domain name. There are no special requirements for domain name setting. Just set it up according to personal preference. Just select the root directory under the WWW directory:
Then click OK to create the website. Make sure that Apache and MySQL are open on the homepage, and
then visit in the browser: the domain name you created /uploads/install/index.php
(mine is: www.ldfx.com/uploads/install/index.php)
the URL behind the domain name It is determined according to the address you installed, as shown in the figure below:
Visiting the website will redirect to the following interface:
Followed by the next step, pay attention to these points in the parameter configuration: the database password is the password of your phpstudy user name root, just enter it (my password is root) and remember the administrator login account And password, the default is admin, as shown in the figure:
2. Related configuration and preparation
Then click Continue to jump to the following interface, here first click to log in to the website background:
Log in to the administrator account (it is recommended to bookmark the website address, and you will use it later)
, click in the order of the numbers in the figure below, and then click to open the membership function:
Then go back to our last interface and click to visit the home page of the page:
Then we click to register an account:
here we create two numbers, one for the user name: ceshi, password: password, and the other for the user name: hacker, password: 123
Note: Do not create an account Set up security questions! This is the premise of our vulnerability.
3. Use burpsuite to capture packets and view information
First of all, we need to download burpsuite and set up a proxy for the browser. I will not introduce the specific steps here. You can find it online.
Now we turn on the proxy and construct the exploit request: first log in to our attacker’s account, and then change the content after member in the URL to resetpassword.php?dopost=safequestion&safequestion=0.0&safeanswer=&id={uesr} (My The id is 2)
Here we can see in the administrator interface, mid is the id we need. The specific operation is shown in the figure: After
sending the request, we can see the following interface in burpsuite:
Then we click to put the package, you will see in burpsuite: GET /uploads/member/resetpassword.php?dopost=getpasswd&id=2&key=YYSAkAOs, now delete all **amp;** in this statement Click the put package button to jump to the password modification interface:
here we click on the intercept request to close the interception, if it is not closed, click to put the package every time.
Here we change the password to 123 (the original password is: password):
Then we log out of the hacker account and try to log in to the ceshi account whose password has been changed:
Then we can find that we have successfully changed the password of other users and logged in to the account:
this is The entire process of the recurrence of this vulnerability.