528 Star 4.4K Fork 1.9K

yadong.zhang / OneBlog

 / 详情

There is a Insecure Permissions vulnerability exists in OneBlog v2.3.4

待办的
创建于  
2022-06-15 00:47

Current description

OneBlog v2.3.4 is vulnerable to insecure privileges. Low-level administrators can reset the passwords of high-level administrators who exceed their permissions.

vulnerability recurrence

First log in to the background using the low-privileged user admin/123456,This is a low-privileged user
输入图片说明

Click the modify password function, enter the old password and the new password, and then use burpsuite to crawl the packet

POST /passport/updatePwd HTTP/1.1
Host: localhost:8085
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 66
Origin: http://localhost:8085
Connection: close
Referer: http://localhost:8085/
Cookie: session_user="93lkCfVDA258ElC3HuO7gUY4xGkEK1BFLktUlzaQ+c8="; Hm_lvt_1040d081eea13b44d84a4af639640d51=1654896251; pageno_cookie=1; SHIRO_SESSION_ID=47e409dd-e488-4e2f-8a68-42ae7cd2de9c; 

id=2&password=123456&newPassword=1234567&newPasswordRepeat=1234567

输入图片说明

Modify the id parameter to the id of another user, Because there is no verification here that the user id is consistent with the current user.

If the passwords of other users with the same permissions are the same as the password fields passed in, you can change the passwords of users with the same permissions horizontally. If the password of the highly privileged user is the same as the password field passed in, you can change the password of the high privileged account vertically. This feature does not verify that the password field is consistent with the password of the currently logged-in user, so password can be entered at will

Change id to 1. The user with an ID of 1 is the root user with the highest authority, because the password of the root user is the same as the 123456 passed in by password, so it is prompted that the modification was successful, and then you are required to log in again.

输入图片说明

Log in to the root account again and find that the original password is no longer available.

输入图片说明

Log in successfully with the new password

输入图片说明

You can also break the brute force to crack the password field and traverse the id field to try to change other users' passwords in batches.

You can see that the passwords of users with id 5 and 6 have been modified successfully.

输入图片说明

Vulnerability analysis

com.zyd.blog.controller.PassportController

Reset the password in the updatePwd method of the / updatePwd path

输入图片说明

Follow the com.zyd.blog.business.service.impl#updatePwd

First, obtain the User object according to the user id passed by the front-end user. If the User is not null, determine whether the password field passed by the user is consistent with the user password corresponding to the id, and if so, reset the password.

So in fact, neither verifying whether the user id is the currently logged in user, nor verifying that the original password is the password of the current user, which eventually leads to ultra vires vulnerability.

输入图片说明

评论 (0)

qumh 创建了任务
qumh 修改了描述
qumh 修改了描述
qumh 修改了描述
qumh 修改了标题
展开全部操作日志

登录 后才可以发表评论

状态
负责人
里程碑
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
开始日期   -   截止日期
-
置顶选项
优先级
参与者(1)
Java
1
https://gitee.com/yadong.zhang/DBlog.git
git@gitee.com:yadong.zhang/DBlog.git
yadong.zhang
DBlog
OneBlog

搜索帮助