EasyTalk 提升用户为管理员漏洞

2014-02-18T00:00:00
ID SSV:96010
Type seebug
Reporter Root
Modified 2014-02-18T00:00:00

Description

简要描述:

EasyTalk 提升用户为管理员漏洞

详细说明:

在用户基本信息修改处,存在设计缺陷,导致EasyTalk提升自己为管理员,而且还能无限增加自己的粉丝等啊! 来看看漏洞所在文件: /Home/Lib/Action/SettingAction.class.php

``` //保存设置 public function doset() { $user=M('Users'); $data=array();

    $userdata=$_POST['user'];
    $userdata['nickname']= daddslashes(clean_html(trim($userdata["nickname"])));
    $userdata['provinceid']=intval($userdata['provinceid']);
    $userdata['cityid']=intval($userdata['cityid']);
    $userdata['user_info']= daddslashes(trim(htmlspecialchars($userdata['user_info'])));
    if(!preg_match('/^[0-9a-zA-Z\xe0-\xef\x80-\xbf_-]+$/i',$userdata['nickname'])) {
        echo json_encode(array('res'=>'error','tips'=>L('setting2')));
        exit;
    }
    if (!$userdata['nickname'] || !$userdata['provinceid'] || !$userdata['cityid']) {
        echo json_encode(array('res'=>'error','tips'=>L('setting1')));
        exit;
    }
    if ($userdata['qq'] && !is_numeric($userdata['qq'])) {
        echo json_encode(array('res'=>'error','tips'=>L('qqiserror')));
        exit;
    }
    if ($userdata['msn'] && count(explode('@',$userdata['msn']))==1) {
        echo json_encode(array('res'=>'error','tips'=>L('msniserror')));
        exit;
    }
    //昵称检测
    if ($userdata['nickname'] && $userdata['nickname']!=$this->my['nickname']) {
        if (StrLenW($userdata['nickname'])<=12 && StrLenW($userdata['nickname'])>=3) {
            $newnickname=$user->where("nickname='$userdata[nickname]'")->find();
            if ($newnickname) {
                echo json_encode(array('res'=>'error','tips'=>L('setting4')));
                exit;
            } else {
                M('Atusers')->where("atuname='".$this->my['user_name']."'")->setField('atnickname',$userdata['nickname']);
            }
        } else {
            echo json_encode(array('res'=>'error','tips'=>L('setting2')));
            exit;
        }
    }
    $user->where("user_id='".$this->my['user_id']."'")->data($userdata)->save();
    $this->finishprofile();
    echo json_encode(array('res'=>'success','tips'=>L('setting3')));
}

```

这里只是通过循环接收数字中的数据的,没有进行限制,所以我们可以任意添加字段及内容。

漏洞证明:

来看看新注册的用户的信息:

<img src="https://images.seebug.org/upload/201402/18110238080a61277054e2374c6f173dcd1410f2.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

我们来设置新注册用户222222的基本信息,我们添加了两个字段isadmin和followme_num。 构造如下:

<img src="https://images.seebug.org/upload/201402/18110638846df48d2d60d5706bfa0560c0b3b03d.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

返回success,说明修改成功啦。 来看看用户222222的信息:

<img src="https://images.seebug.org/upload/201402/181108168d9a98c24e89779f738826926f8bb0ca.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

此时新注册用户222222已经是管理员了,粉丝数已经被修改了。

<img src="https://images.seebug.org/upload/201402/181110486338d784f1c1ee0612b7f499ee0922b6.png" alt="4.png" width="600" onerror="javascript:errimg(this);">