樂尚商城任意密碼找回
找回密碼文件:/home/controls/user.class.php
相關代碼如下:<?php
function get_pass_index(){
if(!$this->is_cached("user/get_pass",$_SERVER[REQUEST_URI])){
}
$this->display("user/get_pass",$_SERVER[REQUEST_URI]);
}
function code(){
ob_clean();
echo new Vcode(100,35,4);
}
function get_pass(){
$email=trim($_POST[email]);
$vcode=trim($_POST["vcode"]);
Validate::vcode($vcode,"驗證碼錯誤!");
$user=D(User)->where(array("email"=>$email))->find();
if($user){
if(Validate::$flag){
$mail=D("Mails","admin");
$link="http://".$_SERVER[SERVER_NAME].$GLOBALS["url"]."set_pass_index/id/{$user[id]}/ran_code/".$user[ran_code];
$body="請點擊以下鏈接找回密碼!".$link;
$datas=array("FromName"=>"管理員","Subject"=>"找回密碼郵件","Body"=>$body,"address"=>$email);
if($mail->send_mail($datas)){
$msg="發送成功,請查看您的郵件!";
$_SESSION[get_pass_uid]=$user[id];
$flag=1;
} else{
$msg="發送失敗,請查看後台郵箱配置!";
$flag=2;
}
} else {
$this->error("驗證碼錯誤",1);
}
} else {
$this->error("無此郵箱,請重新填寫!",1);
}
$this->assign("msg",$msg);
$this->assign("flag",$flag);
$this->display("user/get_pass_2");
}
function set_pass_index(){
$id=intval($_GET[id]);
$ran_code=trim($_GET[ran_code]);
$user=D(User);
$user_info=$user->field("ran_code,id")->where(array("id"=>$id))->find();
if($ran_code==$user_info[ran_code] && $user_info){
if($_SESSION[get_pass_uid]==$id){
$this->assign("id",$user_info[id]);
$this->assign("ran_code",$user_info[ran_code]);
$this->display("user/get_pass_3");
} else {
$this->error("鏈接已失效,請重新設置!",1,"user/get_pass_index");
}
}else{
$this->error("用戶信息不正確!",1,"user/get_pass_index");
}
}
function set_pass(){
$id=intval($_POST[id]);
$ran_code=intval($_POST[ran_code]);
$password=trim($_POST[password]);
$confirm_pass=trim($_POST[confirm_pass]);
$user=D(User);
if($password==$confirm_pass){
$_POST[password]=md5($password);
$result=$user->where(array("id"=>$id))->update();
if($result){
unset($_SESSION[get_pass_uid]);
$this->success("密碼修改成功",2,"user/login_index");
} else {
$this->error("密碼修改失敗!",2);
}
} else {
$this->error("兩次密碼輸入不一致",2);
}
}
?>
可以看到發送郵件的格式是:http://127.0.0.1/set_pass_index/id/用戶id值/ran_code/ran_code的值
那麼不可控的就只有ran_code,ran_code又是怎麼得到的呢?在同文件下的reg函數裡面就已經定義了:<?php
function reg(){
$user=D("User");
$group=D("Group","admin");
if($_FILES["photo"]["tmp_name"]){
$_POST["photo"]=$this->upload();
}
$password=trim($_POST[password]);
$_POST[password]=md5($_POST[password]);
$_POST[confirm_pass]=md5($_POST[confirm_pass]);
$_POST[ran_code]=rand(10000,99999);
$group_data=$group->load_default();
$_POST[score]=$group_data[score];
$_POST[group_id]=$group_data[id];
$_POST[reg_time]=time();
$_POST[log_time]="";
$_POST[account]=0;
$_POST[audit]=0;
$result=$user->add();
if(false !== $result){
//自動登陸
$_SESSION[user]=$user->where(array("id"=>$result))->find();
$_SESSION[user][password]=$password;
$_SESSION[user]["isLogin"]=true;
$mailRules=D("Mailrules","admin");
$template=$mailRules->load_temp("set_reg");
if($template[value]){
$datas=array("FromName"=>"管理員","Subject"=>"註冊成功","Body"=>$template[template],"address"=>trim($_POST[email]));
$mails=D("Mails","admin");
$datas[Body]=$mails->replace_body($datas[Body]);
$mails->send_mail($datas);
}
$user->where(array("id"=>$result))->update(array("log_time"=>time()));
$this->success("註冊成功!", 1, "user/reg_index/p/3");
} else {
$this->error($user->getMsg(), 1);
}
}
?>
$_POST[ran_code]=rand(10000,99999);
只要寫個腳本就可以任意用戶密碼重置了。這算是水平許可權的問題。
關於rand(),詳情參考:PHP rand() 函數 ;推薦閱讀:
※【實驗】Adversarial Video Generation
※AI 代碼長啥樣?
※clang-format 格式宏代碼引起的 Bug
※sqli-labs注入工具(第六關利用注入POC)