DreamArticle 3.0 background the validation logic vulnerability and injection vulnerabilities, resulting in a direct login to backend-bug warning-the black bar safety net

2009-06-01T00:00:00
ID MYHACK58:62200923430
Type myhack58
Reporter 佚名
Modified 2009-06-01T00:00:00

Description

Team: bbs.wolvez.org By q1ur3n

在 admin/global.php there is such a piece of code, used to implement the”remember password”in the login back-office functions.

$administrator = get_cookie("administrator"); $adminpassword = get_cookie("adminpassword"); if ($administrator && $adminpassword) { islogin($administrator,$adminpassword); } else { unset($_SESSION['admincode']); set_cookie("admincode",",time() - 3 1 5 3 6 0 0 0); set_cookie("adminid",",time() - 3 1 5 3 6 0 0 0); set_cookie("administrator", ",time() - 3 1 5 3 6 0 0 0); set_cookie("adminpassword", ",time() - 3 1 5 3 6 0 0 0); da_admin_login(); } $admin=get_admin_info($administrator,$adminpassword);

get_cookie() 在 /include/common.php

function get_cookie($name){ global $_COOKIE,$cookieprename; if (isset($_COOKIE[$cookieprename.$ name])) { return urldecode($_COOKIE[$cookieprename.$ name]); } return FALSE; } You can see the use of the urldecode()function, you can use a%2 5 2 7 The introduction of a single quotation mark to bypass the gpc

Islogin() 在 admin/function.php

function islogin($username, $password) { global $DreamCMS; $password=$DreamCMS->db->get_var("SELECT password FROM #DC@__members WHERE username='{$username}'"); //query$username Password if($password!=$ password){ //the database password and the submitted password is compared, is not the same on$ISDreamCMSADMIN=FALSE $ISDreamCMSADMIN=FALSE; if(md5(base64_encode('DreamCMS'.$ username.'~! (*%)$!$~'.$ password.'%#@)'))== DreamCMSAdmin){ $ISDreamCMSADMIN=TRUE; //here is to achieve a super administrator function, DreamCMSAdmin defined in the configuration file. } } if (empty($username)||empty($password)||$ISDreamCMSADMIN){ //logic error occurs, the programmer intended to,if the$username is empty,or$password is empty, or$ISDreamCMSADMIN is false it executes the logout processing, can but forget in the$ISDreamCMSADMIN front of the plus!, So that you just and programmer intent to the contrary. That is to say here even if our password does not are available through this function. unset($_SESSION['admincode']); set_cookie("admincode",",time() - 3 1 5 3 6 0 0 0); set_cookie("adminid",",time() - 3 1 5 3 6 0 0 0); set_cookie("administrator", ",time() - 3 1 5 3 6 0 0 0); set_cookie("adminpassword", ",time() - 3 1 5 3 6 0 0 0); da_admin_login(); } }

See below$admin=get_admin_info($administrator,$adminpassword);

function get_admin_info($username, $password) { global $DreamCMS; $admin=$DreamCMS->db->get_row("SELECT * FROM #DC@__members WHERE username='{$username}' AND password='{$password}'"); if(empty($admin)){ if(md5(base64_encode('DreamCMS'.$ username.'~! (*%)$!$~'.$ password.'%#@)'))== DreamCMSAdmin){ $admin->uid="1"; } } $admin->info && $admin->info=unserialize($admin->info); return $admin; }

Here on the trouble account number or password is wrong have no permissions. Don't forget, front of the There are a can bypass the gpc. get_cookie() Detailed use method and the exp I will not stick out, your own groping. Local test can be directly into the background. You can refer to here. http://delover.net/blogview.asp?logID=78&cateID=2