Browser F12, Console execution
or
No regret medicine, operate with caution,The content of the article contains a fix plan
1. After execution, if an integer greater than 0 is displayed, it means that the account has been successfully deleted.
2. The account in UCenter is deleted, and UCenter will notify Discuz! Delete the user account.
3. Notification may be delayed or unsuccessful. As a result, you may not log out of the site immediately.
4. If the notification is finally successful, the account and all its posts will be downloaded from Discuz! removed.
5. If the notification is unsuccessful, you will not be able to log in after logging out of your account. You can register a new account with the same name to overwrite the original account. The original account information will be deleted and their posts will not be readable (but not deleted).
Transferred fromThe hyperlink login is visible.
The test can be deleted, and both the newly built Discuz X 3.4 and the Discuz X 3.4 forum that has been running online for a long time have been successfully deleted
During the test, some forums were successfully deleted, and the login prompt failed, but when registering again, the username was prompted to exist, prompting activation, but the activation failed
Vulnerability Analysis:
My js ability is limited, through my intuition, the general code means that I have accessed the dz program "/home.php?mod=spacecp&ac=avatar" to modify the avatar file,
Put "https://www.itsvse.com/uc_server/images/camera.swf?inajax=1&appid=1&input=xxx"The link has been replaced with"https://www.itsvse.com/uc_server/?m=user&a=delete&inajax=1&appid=1&input=xxx"Then the interview is carried out.
m=user&a=delete&inajax=1&appid=1&input=xxx parameter parsing
m: Which php file to load, here it means loading the control/user.php file
A: The function method is the ondelete method to execute the php file
input: The encrypted string generated by the server contains some parameters, the xxx is the encrypted string containing "uid=current logged-in user UID".
Other parameters aside, it doesn't make any sense in this article, in summary, the URL automatically jumped by JS will execute the user.php ondelete method.
To put it bluntly, the input encryption string for modifying the avatar and deleting the user's API is universal! You can execute any one at will according to the previous parameters!
Solution:
Modify file 1: "/source/plugin/mobile/api/2/uploadavatar.php"
Find line 82 and put the following code:
Modified to:
Modify file 2: "/source/plugin/wechat/wechat.class.php"
Find line 549 and put the following code:
Modified to:
Amendment Document 3: "/uc_client/client.php"
Find line 591 and put the following code:
Modified to:
Modify file 4: "/uc_server/control/user.php"
Found it210、310、353Okay, put the following code:
Modified to:
The principle of fixing the vulnerability is to change the parameter uid in the input to uid_avatar, so that modifying the avatar is different from deleting the user's encrypted string!
(End)
|
Posted on 10/31/2018 2:26:47 PM
|
|
|
|
Posted on 10/31/2018 2:50:48 PM