>espcms最新版V6.4.15.08.25任意用户登录 | 安全盒子

出现在用户登录处

/interface/memebermain.php中

code 区域

 function in_center() {   if ($this-&gt;CON[‘mem_isucenter’]) {    include_once admin_ROOT . ‘public/uc_client/client.php’;   }   parent::start_pagetemplate();   parent::member_purview();   $lng = (admin_LNG == ‘big5’) ? $this-&gt;CON[‘is_lancode’] : admin_LNG;   $db_where = “userid=$this-&gt;ec_member_username_id AND username=’$this-&gt;ec_member_username’ “;   $db_table1 = db_prefix . ‘member AS a’;   $db_table2 = db_prefix . ‘member_value AS b’;   $db_sql = “SELECT * FROM $db_table1 LEFT JOIN $db_table2 ON a.userid = b.userid  WHERE a.userid = $this-&gt;ec_member_username_id “;   $rsMember = $this-&gt;db-&gt;fetch_first($db_sql);   $rsMember[‘userid’] = $this-&gt;ec_member_username_id;    $rsMember[‘rankname’] = $this-&gt;get_member_purview($rsMember[‘mcid’], ‘rankname’);   $userid = intval($rsMember[‘userid’]);   if (empty($userid)) {    exit(‘user err!’);   }

function in_center() {

if ($this–>CON[‘mem_isucenter’]) {

include_once admin_ROOT . ‘public/uc_client/client.php’;

}

parent::start_pagetemplate();

parent::member_purview();

$lng = (admin_LNG == ‘big5’) ? $this–>CON[‘is_lancode’] : admin_LNG;

$db_where = “userid=$this->ec_member_username_id AND username=’$this->ec_member_username’ “;

$db_table1 = db_prefix . ‘member AS a’;

$db_table2 = db_prefix . ‘member_value AS b’;

$db_sql = “SELECT * FROM $db_table1 LEFT JOIN $db_table2 ON a.userid = b.userid WHERE a.userid = $this->ec_member_username_id “;

$rsMember = $this–>db–>fetch_first($db_sql);

$rsMember[‘userid’] = $this–>ec_member_username_id;

$rsMember[‘rankname’] = $this–>get_member_purview($rsMember[‘mcid’], ‘rankname’);

$userid = intval($rsMember[‘userid’]);

if (empty($userid)) {

exit(‘user err!’);

}

espcms验证用户信息的都是采用cookie验证uid的，只要可以伪造就可以任意登录

我们跟踪一下uid的处理方式

code 区域

 $db_where = “userid=$this-&gt;ec_member_username_id AND username=’$this-&gt;ec_member_username’ “;

1	$db_where = “userid=$this->ec_member_username_id AND username=’$this->ec_member_username’ “;

这里同时验证了uid和用户名带入数据库查询看是否同一行

我们跟踪下处理uid的函数

在/public/class_connector.php

code 区域

 tion member_purview($userrank = false, $url = null, $upurl = false) {   $this-&gt;ec_member_username = $this-&gt;fun-&gt;eccode($this-&gt;fun-&gt;accept(‘ecisp_member_username’, ‘C’), ‘DECODE’, db_pscode);   $user_info = explode(‘|’, $this-&gt;fun-&gt;eccode($this-&gt;fun-&gt;accept(‘ecisp_member_info’, ‘C’), ‘DECODE’, db_pscode));   list($ec_member_username_id, $this-&gt;ec_member_alias, $ec_member_integral, $ec_member_mcid, $this-&gt;ec_member_email, $this-&gt;ec_member_lastip, $this-&gt;ec_member_ipadd, $this-&gt;ec_member_useragent, $this-&gt;ec_member_adminclassurl) = $user_info;   $this-&gt;ec_member_username_id = intval($ec_member_username_id);   $this-&gt;ec_member_integral = intval($ec_member_integral);   $this-&gt;ec_member_mcid = intval($ec_member_mcid);

tion member_purview($userrank = false, $url = null, $upurl = false) {

$this–>ec_member_username = $this–>fun–>eccode($this–>fun–>accept(‘ecisp_member_username’, ‘C’), ‘DECODE’, db_pscode);

$user_info = explode(‘|’, $this–>fun–>eccode($this–>fun–>accept(‘ecisp_member_info’, ‘C’), ‘DECODE’, db_pscode));

list($ec_member_username_id, $this–>ec_member_alias, $ec_member_integral, $ec_member_mcid, $this–>ec_member_email, $this–>ec_member_lastip, $this–>ec_member_ipadd, $this–>ec_member_useragent, $this–>ec_member_adminclassurl) = $user_info;

$this–>ec_member_username_id = intval($ec_member_username_id);

$this–>ec_member_integral = intval($ec_member_integral);

$this–>ec_member_mcid = intval($ec_member_mcid);

用户名是取了cookie的值可以控制

code 区域

 $this-&gt;ec_member_username = $this-&gt;fun-&gt;eccode($this-&gt;fun-&gt;accept(‘ecisp_member_username’, ‘C’), ‘DECODE’, db_pscode);

1	$this–>ec_member_username = $this–>fun–>eccode($this–>fun–>accept(‘ecisp_member_username’, ‘C’), ‘DECODE’, db_pscode);

code 区域

 $this-&gt;ec_member_username_id = intval($ec_member_username_id);

1	$this–>ec_member_username_id = intval($ec_member_username_id);

但uid值被intval

就是这个intval帮我们达到任意登录的效果

首先我们想注册个4开头后面加任意字母，后面不能是数字什么的

然后我们登录

然后查看cookie找到username的值

code 区域

 nRaNsMCyeu1Rjg2Z3Ms6sNbPYrrvtEhR0HduulhHBWo=

1	nRaNsMCyeu1Rjg2Z3Ms6sNbPYrrvtEhR0HduulhHBWo=

然后用这个值覆盖到info的值

这个info的值是验证uid用的

最后刷新就可以登录uid为4这个用户了

可以看到登录成功了

————————————

原理是什么呢，intval起了什么效果呢？

我们的用户名是4test，然后变cookie值是加密过的

把这个值放在处理uid的语句上

就是

code 区域

 $userid=$this-&gt;ec_member_username_id=intval(‘4test’)=4

1	$userid=$this–>ec_member_username_id=intval(‘4test’)=4

为什么登录4呢，因为php是弱类型的语言，所以intval就会把4test理解成4

那样就覆盖了原来的uid，然后就可以任意登录用户了

xxx

xxx站点

>espcms最新版V6.4.15.08.25任意用户登录 | 安全盒子