phpstcms (STCMS music system) to bypass the backend authentication method-vulnerability warning-the black bar safety net

2011-04-26T00:00:00
ID MYHACK58:62201130205
Type myhack58
Reporter 佚名
Modified 2011-04-26T00:00:00

Description

Published author: the mind

Vulnerability type: background verification Vulnerability analysis: a music system-0-in! Throw in the hard disk is also equal to moldy, classic white look at the code. Vulnerability exists in“common.inc.php”file, as follows.

phpstcms (STCMS music system) to bypass the backend authentication method common.inc.php to:

......

if(! in_array(substr(strrchr($_SERVER['PHP_SELF'],"/"),1),array("login.php","login. php? action=logined"))) { checkLogin(); } //The above is to verify that the login bypass. and IIS6. 0 parsing vulnerability, as you know.

......

phpstcms (STCMS music system) to bypass the backend authentication method

phpstcms (STCMS music system) to bypass the backend authentication method Webmaster review:

phpstcms (STCMS music system) to bypass the backend authentication method First Supplement to a knowledge, if the URL address is: http://www.baidu.com/fuck/bitch.php then:$_SERVER['PHP_SELF']=='/fuck/bitch.php'the.

phpstcms (STCMS music system) to bypass the backend authentication method The problem in this validation process, and actually using this lying groove of the authentication.

phpstcms (STCMS music system) to bypass the backend authentication method The first interception“/fuck/bitch.php”from the last“/”at the beginning location to the end of the string, i.e. the result is“bitch.php”it. And then the“the login. php? action=logined”and“login.php”created as an array. Then in this array search“bitch.php”if there is, then log in.......

phpstcms (STCMS music system) to bypass the backend authentication method Use way well, mind the big cow says“IIS 6.0 parsing vulnerabilities”, e.g. the official website demo site backend address“http://demo.phpstcms.com/admin/”, then just submit“http://demo.phpstcms.com/admin/”+“file name”+“/login.php”you can bypass the login.

phpstcms (STCMS music system) to bypass the backend authentication method For example:

phpstcms (STCMS music system) to bypass the backend authentication method http://demo.phpstcms.com/admin/member.php/login.php http://demo.phpstcms.com/admin/config.php/login.php http://demo.phpstcms.com/admin/data.php/login.php http://demo.phpstcms.com/admin/server.php/login.php http://demo.phpstcms.com/admin/info.php/login.php ......

phpstcms (STCMS music system) to bypass the backend authentication method The above address is only for demonstration, please do not do any illegal purposes, at your own risk!

phpstcms (STCMS music system) to bypass the backend authentication method PHP $_SERVER['PHP_SELF'] function vulnerability generating principle:

phpstcms (STCMS music system) to bypass the backend authentication method This function also exists a cross-site vulnerability, please Google“for $_SERVER['PHP_SELF'] cross-site scripting attack”.

phpstcms (STCMS music system) to bypass the backend authentication method Well, then take a look at this vulnerability generated by the principle, first of all: http://www.baidu.com/test.php/...... that This call is theweb serverallows, and a lot of cms and Forum systems, are used in this way, the server does not support rewrite of the case to achieve, such as http://www.baidu.com/test.php/archive/999 such a fixed URL I previously thought it was for 4 0 4 error page to the next hand, so with“/”in the address cannot be from theweb serveris prohibited.

phpstcms (STCMS music system) to bypass the backend authentication method Then look at php in the $_SERVER['PHP_SELF'] identification, he is the one that contains the current URL value of the global variable, days know the user will input what the website, in the above example is malicious, but on this site, yet is can be normal use this manner of address. So, the final conclusion going to fall on developers who, without a good deal of user interaction with the data.