[vulnerability recurrence] zzcms8.2 ᦇ arbitrary user password reset ᦇ del.php time blind note ᦇ recurrence

Posted by fierce at 2020-02-26

In the morning, seebug found a new batch of holes,

I found that many people were digging zzcms8.2, so I set foot on the road of reappearance in silence (if I didn't click in to buy details, why should I bother so much ~)

Environment: zzcms8.2 (product investment promotion type)


.    mysql-5.5.53

01x1 any user password reset mode 1

In other words, the title of this hole should be the password reset of any foreground user. The background administrator can't reset it. Maybe it's the problem of my recurrence~~

First register an account, and then click the home page to retrieve the password

Address: http://localhost/one/getpassword.php


There is also user traversal here. If the user exists, the correct status as described above will be returned to the front page



Return to the topic, enter the verification code and click next to enter the next status


No need to click to get the verification code, input any number at will, and directly click the next step to grab the package


Get response package


Change no to yes, and then forward, here you will find that the front page has not changed much

If you look at the bag grabbing tool again, you will see this bag


This is obviously the successful package of verification code, directly forward

Enter the new password and reset it directly

Reset success

01x2 any user password reset mode 2

This is the simplest. You don't need to grab the bag at all

Take demo station for test


Next step,

You will see that, this, and then do not choose the verification method, do not click to obtain the verification code, enter any number at will, and directly click the next step

Make sure to input quickly, or the back-end of the contract will be verified and displayed

Click next before such a red warning character

Go directly to change password,

This one was sent out by a master in freebuf. I'll do a simple analysis

Line 13 of user / del.php

Here, the two post parameters are unprocessed. They are directly formatted after being passed in

Then to the 136 row.

Directly brought in the query. Pasted the POC of Daniel