Ecshop /admin/get_password.php Password Recovery Secrect Code Which Can Predict Vulnerability

Andrew.Hann發表於2014-12-16

1. 漏洞描述
2. 漏洞觸發條件
3. 漏洞影響範圍
4. 漏洞程式碼分析
5. 防禦方法
6. 攻防思考

1. 漏洞描述

Ecshop提供了密碼找回功能，但是整個密碼找回流程中存在一些設計上的安全隱患

1. Ecshop程式使用了MD5不可逆加密演算法，但是計算密文的生成元素都有可以很輕易地被黑客拿到
/*
if (md5($adminid . $password) <> $code)
1. $adminid: 黑客顯式指定
2. $password: 暴力列舉
*/

2. 對重複失敗次數沒有做限制

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2010-024689

2. 漏洞觸發條件

HTTP Package Repeater

3. 漏洞影響範圍

1. ecshop 2.7.2
2. ecshop 2.7.3
3. ...

4. 漏洞程式碼分析

admin/get_password.php

...
/* 驗證新密碼，更新管理員密碼 */
    elseif (!empty($_POST['action']) && $_POST['action'] == 'reset_pwd')
    {
        $new_password = isset($_POST['password']) ? trim($_POST['password'])  : '';
        $adminid      = isset($_POST['adminid'])  ? intval($_POST['adminid']) : 0;
        $code         = isset($_POST['code'])     ? trim($_POST['code'])      : '';

        if (empty($new_password) || empty($code) || $adminid == 0)
        {
            ecs_header("Location: privilege.php?act=login\n");
            exit;
        }

        /* 以使用者的原密碼，與code的值匹配 */
        $sql = 'SELECT password FROM ' .$ecs->table('admin_user'). " WHERE user_id = '$adminid'";
        $password = $db->getOne($sql);

        /*
        這裡是漏洞的關鍵
        1. $adminid：黑客想要爆破攻擊重置密碼的物件
        2. $password：黑客通過密碼暴力列舉
        3. $code：黑客可以在本地使用相同的演算法進行計算得到
        */
        if (md5($adminid . $password) <> $code)
        {
            //此連結不合法
            $link[0]['text'] = $_LANG['back'];
            $link[0]['href'] = 'privilege.php?act=login';

            sys_msg($_LANG['code_param_error'], 0, $link);
        }
....

5. 防禦方法

這個漏洞屬於密碼學的抗窮舉設計缺陷，要對這個漏洞進行修復，同時要能保證對原有的業務進行平滑相容，我們可以從以下幾個方面去思考

1. 增加金鑰空間，提供攻擊者的攻擊成本：容易實現
2. 改變加密演算法，間接地提高了金鑰空間：需要對原有舊的密碼進行全量地升級，改造成本大

admin/get_password.php

 /* 以使用者的原密碼，與code的值匹配 */
$sql = 'SELECT password FROM ' .$ecs->table('admin_user'). " WHERE user_id = '$adminid'";
$password = $db->getOne($sql); 

if (md5($adminid . $password) <> $code)
{
    //此連結不合法
    $link[0]['text'] = $_LANG['back'];
    $link[0]['href'] = 'privilege.php?act=login';

    sys_msg($_LANG['code_param_error'], 0, $link);
}

//更新管理員的密碼
/*
這裡是pathc code的關鍵
程式碼中增加了隨機數的鹽，這極大地增加了黑客爆破的金鑰空間，提供了攻擊成本
*/
    $ec_salt=rand(1,9999);
$sql = "UPDATE " .$ecs->table('admin_user'). "SET password = '".md5(md5($new_password).$ec_salt)."',`ec_salt`='$ec_salt' ".
       "WHERE user_id = '$adminid'";

6. 攻防思考

[LeetCode] 1953. Maximum Number of Weeks for Which You Can Work
2024-05-16
LeetCode
wireshark error: There are no interfaces on which a capture can be done.
2018-01-16
ErrorAPT
dedecms /member/buy_action.php Weak Password Vulnerability Algorithm Vul
2015-05-19
PHPGo
leetcode 486. Predict the Winner
2024-10-03
LeetCode
plt.sca can control which subplot to apply plt methods
2020-12-21
APP
If you cannot remember your password for Recovery and Rescue for IBM Laptop‏
2009-04-15
REMIBMAPT
ASProtect V1.2脫殼――Asterisk Password Recovery XP
2015-11-15
AST
ORACLE中IN和OR誰更高效？【WHICH KEY WORD CAN GET BETTER PERFORMANCE? 】薦
2007-12-12
OracleORM
Visual Zip Password Recovery 4.0破解 (1千字)
2000-10-13
by which, in which, from which 語法區別
2016-02-12
【OCP最新題庫解析(052)--題6】Which structure can span multiple data files
2018-08-30
Struct
e.keyCode和e.which使用
2017-09-14
CMSEASY /lib/tool/front_class.php、/lib/default/user_act.php arbitrary user password reset vulnerability
2015-07-02
PHP
異常: 'ascii' codec can't encode characters
2014-12-04
ASCII
Python——UnicodeEncodeError: 'ascii' codec can't encode/decode characters
2018-11-28
PythonUnicodeErrorASCII
Adult PDF Password Recovery v2.1註冊演算法（簡單）
2015-11-15
演算法
python cx_Oracle: UnicodeEncodeError: 'ascii' codec can't encode characters
2019-10-11
PythonOracleUnicodeErrorASCII
Advanced PDF Password Recovery Pro 2.12的不完美破解 (12千字)
2003-05-20
請幫忙破解advanced rar password recovery 1.0 final (114字)
2000-07-22
破解Visual Zip Password Recovery Processor v3.2 初級 (3千字)
2000-02-27
THM-Vulnerability Capstone
2024-10-17
Python報錯：UnicodeDecodeError: 'gbk' codec can't decode byte ...
2018-06-12
PythonUnicodeError
pip install 報錯UnicodeDecodeError: 'ascii' codec can't decode byte
2017-05-09
UnicodeErrorASCII
Password Recovery Bundle Pro輕鬆恢復所有丟失密碼或忘記密碼
2022-01-23
密碼
ecshop漏洞修復以及如何加固ecshop網站安全
2018-10-22
網站
Python3解決UnicodeEncodeError: 'ascii' codec can't encode characters in position 0
2019-12-23
PythonUnicodeErrorASCII
Drupal - pre Auth SQL Injection Vulnerability
2020-08-19
SQL
PHP WDDX Serializier Data Injection Vulnerability
2020-08-19
PHP
jQuery event.which
2017-02-18
jQuery
Open Wifi SSID Broadcast vulnerability
2020-08-19
WiFiAST
Oracle WebLogic Default Password & Change Password
2010-12-08
OracleWeb
python報錯問題解決：'ascii' codec can't encode character
2016-09-21
PythonASCII
[ERROR] mysqld: Can‘t open shared library ‘/usr/local/mysql/lib/plugin/validate_password.so‘ (errno:
2020-10-19
ErrorMySqlPlugin
MyBB \inc\class_core.php <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution(Reverse Shell Exploit) Vulnerability
2016-01-25
PHPFunctionREM
提取ecshop的mysql類
2015-04-29
MySql
完善ecshop的mysql類
2015-04-30
MySql
BZOJ3659 : Which Dreamed It
2016-04-03
[leetcode] 1642. Furthest Building You Can Reach
2020-11-13
LeetCodeUI

Ecshop /admin/get_password.php Password Recovery Secrect Code Which Can Predict Vulnerability

相關文章