View the page of this cms system background administrator to add users
Click to add an administrator
This module is only available to administrators, ordinary users do not have this module.
Open the source code and analyze whether there are any unauthorized vulnerabilities.
————————————————– ————————————————– ——–
Form code
<form name="adminForm" id="adminForm">
<input type="hidden" name="item" value="${item}" />
<table border="0" cellpadding="0" cellspacing="0" class="table_c1">
<tr>
<td class="label_c" width="15%"><label><fmt:message key="username" bundle="${messagesBundle}"/>:</label></td>
<td width="85%">
<c:if test="${item==null}">
<input type="text" value="${admin.username}" name="username" id="username" class="wid_80"/>
</c:if>
<c:if test="${item!=null}">
<input type="text" readonly value="${admin.username}" name="username" id="username" class="wid_80"/>
</c:if>
</td>
</tr>
<tr>
<td class="label_c"><label>Name:</label></td>
<td>
<input type="text" value="${admin.adminName}" name="name" id="name" class="wid_80"/>
</td>
</tr>
<tr>
<td class="label_c"><label><fmt:message key="sex" bundle="${messagesBundle}"/>:</label></td>
<td>
<select name="sex" id="sex">
<option value="">--Please select--</option>
<option value="Male">Male</option>
<option value="Female">Female</option>
</select>
</td>
</tr>
<tr>
<td class="label_c"><label><fmt:message key="role" bundle="${messagesBundle}"/>:</label></td>
<td>
<select name="role" id="role">
<option value="">--Please select--</option>
<c:forEach items="${roleList}" var="role" varStatus="status">
<option value="${role.id}">${role.name}</option>
</c:forEach>
</select>
</td>
</tr>
<tr>
<td class="label_c"><label><fmt:message key="qq" bundle="${messagesBundle}"/>:</label></td>
<td>
<input type="text" name="qq" id="qq" value="${admin.qq}" class="wid_80"/>
</td>
</tr>
</table>
</form>
<!--Form floating layer submission -->
<div class="right_bottom_btnlist">
<ul>
<li>
<input type="submit" value="<fmt:message key="submit" bundle="${messagesBundle}"/>" class="button-2 vcenter" onclick="add()"/>
\t\t\t\t</li>
\t\t\t</ul>
</div>
View the js code that triggers the post request
<script>
function add(){
var username=requree_name("username") & amp; & amp; requree_length("username",6,20);
var name=requree_name("name") & amp; & amp; requree_length("name",2,20);
var role=document.getElementById("role").value;
//requree_name function may be used to verify whether the username field conforms to the specified rules, and requree_length function may be used to verify whether the length of the username field is within the specified range
if(!username){
layer.alert("User name is required, limited to 6~20 characters");
}else if(!name){
layer.alert("Please enter your name, limited to 2~20 characters");
}else if(role==""||role==null){
layer.alert("Please set the role!");
}else{
var params= $('#adminForm').serialize();
$.ajax({
url:"<%=basePath%>admin/addAdmin", //Background processing program
type:'post', //Data sending method
dataType:'json',
data:params, //data to be passed
success:function(data){
alert(data.tip);
parent.window.location.reload();
}
});
}
}
document.getElementById("role").value="${admin.role}";
document.getElementById("sex").value="${admin.adminSex}";
var height = $(window).height();
$(".middle_cnt_c2").height(height-80);
$(window).resize(function () { //When the browser size changes
var height = $(window).height();
$(".middle_cnt_c2").height(height-80);
});
</script>
Locate the <%=basePath%>admin/addAdmin backend source code according to the submitted interface
@WebServlet(
displayName = "Add Administrator",
name = "AddAdmin",
urlPatterns = {"/admin/addAdmin"}
)
/*This is a Java Servlet annotation (Annotation), used to declare a Java class as a Servlet for a Web application. This annotation contains multiple parameters:
displayName: The display name of the Servlet, which can be used in the web application management interface;
name: The name of the Servlet, which must be a unique identifier and will be used when referencing it in a web application;
urlPatterns: The URL pattern mapped by the Servlet, which can be an array of strings. Each string corresponds to a URL pattern.
In this example, the Servlet is mapped to the URL pattern /admin/addAdmin, which means that when the user requests this URL, the container will hand over the request to the AddAdmin Servlet for processing*/
public class AddAdmin extends HttpServlet {
public AddAdmin() {
}
public void destroy() {
super.destroy();
}
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
}
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
AdminService as = new AdminService();
//AdminService is a custom class controller, which may be used to handle business logic related to the administrator or provide corresponding services. By creating an AdminService object, we can use the methods in the object to perform specific operations, such as managing administrator accounts, handling administrator permissions, etc.
HttpSession session = request.getSession(true);
Object user = session.getAttribute("user");
/*This code is used to obtain the HTTP Session associated with the current request and obtain the attribute value named "user" from it.
First, the request.getSession(true) method is used to obtain the Session object corresponding to the current request. If the Session object does not exist, a new Session object will be created and returned. If the parameter passed in is false, it means that only the existing Session object will be searched. If it does not exist, null will be returned.
Then, the session.getAttribute("user") method is used to obtain the attribute value named "user" in the current Session. If the property does not exist, null is returned. Note that Session is a data object saved on the server side. The data saved in Session can be accessed and modified during the entire session. */
String json = "";
String id = request.getParameter("item");//
String admin_username = request.getParameter("username");
String admin_passbak = "123456";
String admin_pass = Md5Util.getMD5Str(admin_passbak);
String admin_name = request.getParameter("name");
String admin_sex = request.getParameter("sex");
String admin_role = request.getParameter("role");
String qq = request.getParameter("qq");
Locale loc = new Locale("zh", "CN");
ResourceBundle rb = ResourceBundle.getBundle("messages", loc);
String adminTip = rb.getString("adminTip");
String flag = "";
if (user == null) {
RequestDispatcher rd = request.getRequestDispatcher("/WEB-INF/login.jsp");
request.setAttribute("tip", adminTip);
rd.forward(request, response);
} else {
boolean f = false;
if (id != null & amp; & amp; !id.equals("") & amp; & amp; !id.equals("undefined")) {
if (!admin_username.trim().equals("")) {
flag = as.updateAdmin(id, admin_role, admin_name, admin_sex, qq);
//The controller executes updateAdmin, where the id is controllable and may be a unique key value, causing an unauthorized access vulnerability.
if (flag.equals("ok")) {
json = "{"tip":"" + rb.getString("modify") + rb.getString("success") + ""}";
} else {
json = "{"tip":"" + rb.getString("modify") + rb.getString("failure") + ""}";
}
} else {
json = "{"tip":"" + rb.getString("name") + rb.getString("not") + rb.getString("empty") + ""}";
}
} else if (!admin_username.trim().equals("")) {
try {
f = as.geyUser(admin_username);
} catch (SQLException var22) {
var22.printStackTrace();
}
if (f) {
flag = as.saveAdmin(admin_username, admin_pass, admin_passbak, admin_role, admin_name, admin_sex, qq);
if (flag.equals("ok")) {
json = "{"tip":"" + rb.getString("add") + rb.getString("success") + "," + rb.getString("default") + rb.getString(" password") + ":123456"}";
} else {
json = "{"tip":"" + rb.getString("add") + rb.getString("failure") + ""}";
}
} else {
json = "{"tip":"" + rb.getString("username") + rb.getString("already") + rb.getString("there") + ""}";
}
} else {
json = "{"tip":"" + rb.getString("name") + rb.getString("not") + rb.getString("empty") + ""}";
}
out.print(json);
}
}
public void init() throws ServletException {
}
}
urlPatterns: The URL pattern mapped by the Servlet. The URL pattern /admin/addAdmin is mapped to this Servlet class.
AdminService is a custom class controller, which may be used to handle business logic related to administrators or provide corresponding services. By creating an AdminService object, we can use the methods in the object to perform specific operations, such as managing administrator accounts, handling administrator permissions, etc.
The controller executed updateAdmin, where the controllable id may be a unique key value, causing an unauthorized access vulnerability.
Executing updateAdmin does not perform any verification process on the user’s identity permission information (administrator). As long as there is a user in the current session, even a normal account can execute updateAdmin, and the parameters passed in are controllable by our users, thus causing an unauthorized access vulnerability.
How to use
Forge the http request header of this interface, set the cookie information to our ordinary user’s cookie, enter the request body we want (add new administrator information), and send.
Summary
Whether it is vertical or horizontal override, we need to verify the user information again. For some sensitive information such as id, try not to store unique key values on the front end…….