Today we are going to analyze the firing range of a password reset vulnerability

The article is very water I white box is too dish

Thank you for the first code audit

The tool we used to build this range, PHPStudy

Download the range and place it in phpStudy domain site administration



Any port you want as long as it’s not 80

Then visit the websitewww.a.com:3456



We visit the back end of the range

Because this is a password reset vulnerability, we directly use ‘or 1# login to capture packets



I’m using live HTTP Headers or Live HTTP Headers to capture packages

After the packet is caught we copy this parameter:

user_name=11111&user_pass=1111

www.a.com:3456/checkUser.p…

The url on the previous picture is not the real url because I caught the packet twicewww.a.com:3456/checkUser.p…This is the

We click here:



Click split URL and you’ll get this username or password error

We use a universal password: ‘or 1#



Put the universal password in the username area and hit split URL to log in

Direct login successful

Why did that happen?

Let’s go straight to the source code



I’m using Pycharm here and you can use other compilers

We found the checkuser.php file

And then we can see if(isset(“User \ \ _POST \ [_name” \]) && isset (_POST [‘ user_pass]))

The Isset function checks if the variable Isset and returns False if it does not exist

We can see that
p a s s w o r d = m d 5 ( password = md5( password); This is encrypted

We could try putting the universal password in the password



Obviously not

We can see that the SQL statement is executed and assigned toSQL we can use vardump to print [! [](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/57479ad0401f4e68b9850ab3df9c7342~tplv-k3u1fbpfcp-zoom-1.image)](htt ps://shs3.b.qianxin.com/attack_forum/2021/07/attach-f8d1f243320bd98e846a5230da549a073e766fe3.png) we are at the front desk to see: [! [](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/052fc8b16d2d4bbfad52762e3c9f0150~tplv-k3u1fbpfcp-zoom-1.image)](htt ps://shs3.b.qianxin.com/attack_forum/2021/07/attach-d91683dab73119e1c438604646ec71ea876c3946.png) this is the login successful SQL statements: String (98) “select * from the users where the user \ _name = XXXX ‘or’ # 1 ‘and user \ bd43d9caa6e02c990b0a82652dca _pass =’ 6512 ‘” This is the SQL statement after the login failed to add the universal password to the password: [! [](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/49d9f692a2c347d3a39855b1aaaa323a~tplv-k3u1fbpfcp-zoom-1.image)](htt ps://shs3.b.qianxin.com/attack_forum/2021/07/attach-5af5c4cc326a4ee3c6552ec30aaa1ce4f152e175.png) we can use the SQL command line to perform: [! [](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/5dea0b0fcc4a4645b2121b58215eb6cb~tplv-k3u1fbpfcp-zoom-1.image)](htt ps://shs3.b.qianxin.com/attack_forum/2021/07/attach-2ff246ee3de32fd85e3e29afd887ca6f85657a32.png) this is a direct can perform successfully We continue to look down: [! [](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/6202d1b8493046638002c1868c9f3a6a~tplv-k3u1fbpfcp-zoom-1.image)](htt New a mysql object ps://shs3.b.qianxin.com/attack_forum/2021/07/attach-ab9740f567280521190b97b3d2fee7b1fb8cc1ac.png) here We look directly at the class [! [](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/297d225855ee4a7db158982f620a5215~tplv-k3u1fbpfcp-zoom-1.image)](htt ps://shs3.b.qianxin.com/attack_forum/2021/07/attach-d2627c1b0801ea57a374a2b096bb9cde1e2e637c.png) Mysql.class.php = mysql.class.php = mysql.class.php = mysql.class.php = mysql.class.php [](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/d21bec564f9047a38dfd49ca97c06268~tplv-k3u1fbpfcp-zoom-1.image)](htt ps://shs3.b.qianxin.com/attack_forum/2021/07/attach-b69d720de7f2debb0616a7090537b905194b4bac.png) see query data directly Here is the query single lineres =
t h i s > l i n k > q u e r y ( this->link->query( sql);


r o w = row = res->feach_assoc();

So here’s the query database and it defines a function and public is the modifier

Fetch_assoc is a single row query



Let’s continue with vardump



It returns three pieces of data

Previously it used feach_assoc(); Query data one at a time

And you can experiment with that when you log in to a user with a universal password, it’s the first piece of data and not the second piece of data, but that’s all for the simple code understanding

Because really won’t white box can only water article purr purr purr