网站地图    收藏   

主页 > 入门引导 > 黑客攻防 >

易思ESPCMS设计缺陷可登录任意账号 - 网站安全

来源:自学PHP网    时间:2015-04-15 15:00 作者: 阅读:

[导读] 易思ESPCMS某处设计缺陷(验证过弱)可登录任意用户账号易思ESPCMS cookie存在设计缺陷我看下cookie都有哪些参数ecisp_home_seccodeecisp_member_usernameecisp_member_infofunction member_cookieview($keywo...

易思ESPCMS某处设计缺陷(验证过弱)可登录任意用户账号
 
易思ESPCMS cookie存在设计缺陷
 
我看下cookie都有哪些参数
 
ecisp_home_seccode
 
ecisp_member_username
 
ecisp_member_info
 
 
function member_cookieview($keyword = false) {

$retrunstr = array();

$retrunstr['username'] = $this->fun->eccode($this->fun->accept('ecisp_member_username', 'C'), 'DECODE', db_pscode);

$user_info = explode('|', $this->fun->eccode($this->fun->accept('ecisp_member_info', 'C'), 'DECODE', db_pscode));



list($retrunstr['userid'], $retrunstr['alias'], $retrunstr['integral'], $retrunstr['mcid'], $retrunstr['email'], $retrunstr['lastip'], $retrunstr['ipadd'], $retrunstr['useragent'], $retrunstr['adminclassurl']) = $user_info;



$retrunstr['userid'] = intval($retrunstr['userid']);

$retrunstr['integral'] = intval($retrunstr['integral']);

$retrunstr['mcid'] = intval($retrunstr['mcid']);



return !$keyword ? $retrunstr : $retrunstr[$keyword];

}


function in_center() {

if ($this->CON['mem_isucenter']) {

include_once admin_ROOT . 'public/uc_client/client.php';

}

parent::start_pagetemplate();

parent::member_purview();

$lng = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG;

$db_where = "userid=$this->ec_member_username_id AND username='$this->ec_member_username' ";

echo $db_where;

$db_table1 = db_prefix . 'member AS a';

$db_table2 = db_prefix . 'member_value AS b';

$db_sql = "SELECT * FROM $db_table1 LEFT JOIN $db_table2 ON a.userid = b.userid  WHERE a.userid = $this->ec_member_username_id ";

$rsMember = $this->db->fetch_first($db_sql);

$rsMember['userid'] = $this->ec_member_username_id;



$rsMember['rankname'] = $this->get_member_purview($rsMember['mcid'], 'rankname');

$userid = intval($rsMember['userid']);

if (empty($userid)) {

exit('user err!');

}

$db_table = db_prefix . "order";



$db_where = " WHERE userid=$userid";



$db_where2 = " WHERE userid=$userid and ordertype=1";



$db_where3 = " WHERE userid=$userid and ordertype=3";

$this->pagetemplate->assign('ordernum', $this->db_numrows($db_table, $db_where));

$this->pagetemplate->assign('ordernum2', $this->db_numrows($db_table, $db_where2));

$this->pagetemplate->assign('ordernum3', $this->db_numrows($db_table, $db_where3));



$db_table = db_prefix . "bbs";

$db_where = " WHERE userid=$userid";



$this->pagetemplate->assign('messagenum', $this->db_numrows($db_table, $db_where));



$templatesDIR = $this->get_templatesdir('member');



$templatefilename = $lng . '/' . $templatesDIR . '/member_center';

$this->pagetemplate->assign('out', 'center');

$this->pagetemplate->assign('mlink', $this->mlink);

$this->pagetemplate->assign('member', $rsMember);

$this->pagetemplate->assign('path', 'member');

unset($rsMember, $mlink, $LANPACK, $this->lng);

$this->pagetemplate->display($templatefilename, 'center', false, null, admin_LNG);

}


ecisp_member_info的构成:

$this->fun->setcookie('ecisp_member_info', $this->fun->eccode("500|$rsMember[alias]|$rsMember[integral]|$rsMember[mcid]|$rsMember[email]|$rsMember[lastip]|$ipadd|" . md5($_SERVER['HTTP_USER_AGENT']) . '|' . md5(admin_ClassURL), 'ENCODE', db_pscode));

 

从代码中可以看出验证用户真正用到的是userid
 
也就是说cookie中ecisp_member_info真正起到作用的是userid部分
 
userid只占用了cookie ecisp_member_info字符串中很少的字符
 
而这一部分字符才是起到作用的,其他的无关紧要,这样的验证是不是很弱呢?
 
那我们是不是可以去爆破它呢?
 
我们拿官方演示站来做一下演示:
 






 
 
 
查询的 IP:36.40.79.103 来自:陕西省 电信
 
 
 
GeoIP: Xian, China
 
 
 
China Telecom
 
查询的 IP:123.138.71.191 来自:陕西省西安市 联通
 
 
 
GeoIP: Xian, China
 
 
 
China Unicom Shannxi province network
 
查询的 IP:123.245.145.94 来自:辽宁省 电信
 
 
 
GeoIP: Shenyang, China
 
 
 
GuangZhouWanGuanGuoJiMaoYiFaZhanYouXianGongSi-SY-L
 
 
 
userid部分 最少两个字符
 
理论上可以登录所有用户

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论