A record of the mining method for a CNVD certificate

Background of vulnerability mining

Wandered around Fofa and suddenly saw a certain system, curious, so I clicked on it

Steps for vulnerability discovery and exploitation

The ids are 5 and 4 (to be mentioned later)

admin123456/Liuyichen123

admin1234567/Liuyichen123

• Modify the password, enter the password to be modified

For example, 'Liuyichen123!', then capture the packet and click save

Unauthorized operation

Change the id to 4 (the id is based on the order of user creation) and change the name to the user's name

Modification successful

Log in with 'admin123456/Liuyichen123!'

Successfully logged in and modified someone else's password without authorization

Let's take a look at the homepage

• I found that there are 5 users, so I guess that the user with id=1 must be the administrator
• Attempted to register an account with the username 'admin', only to find that 'admin' already exists, and it is indicated that there is an account with id=1 and loginname='admin'
• ThenOver authorizationModify the administrator account

The same operation

Click Save

Enter the background

The administrator account password was successfully changed to admin/Liuyichen123!

Successfully entered the background

Then search for fingerprints on fofa and find the same CMS. Obtain a general certificate

After a month of waiting, the archiving was successful

Summary:

• Vulnerability Type: Authorization vulnerability. Users can modify or access data or permissions of other users (including administrators).
• Vulnerability Cause:
  • The system does not fully verify the permissions of user requests.
  • Sensitive information such as user ID is not encrypted or not fully verified in the request.
• Vulnerability Impact:
  • This may lead to serious consequences such as data leakage and data tampering.
  • Attackers can obtain administrative privileges and perform arbitrary operations on the entire system.