catalog
1. 漏洞描述 2. 漏洞觸發條件 3. 漏洞影響範圍 4. 漏洞程式碼分析 5. 防禦方法 6. 攻防思考
1. 漏洞描述
Relevant Link:
2. 漏洞觸發條件
3. 漏洞影響範圍
4. 漏洞程式碼分析
/interface/memebermain.php
function in_center() { if ($this->CON['mem_isucenter']) { include_once admin_ROOT . 'public/uc_client/client.php'; } parent::start_pagetemplate(); parent::member_purview(); $lng = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG; //espcms驗證使用者資訊的都是採用cookie驗證uid的,只要可以偽造就可以任意登入 $db_where = "userid=$this->ec_member_username_id AND username='$this->ec_member_username' "; $db_table1 = db_prefix . 'member AS a'; $db_table2 = db_prefix . 'member_value AS b'; $db_sql = "SELECT * FROM $db_table1 LEFT JOIN $db_table2 ON a.userid = b.userid WHERE a.userid = $this->ec_member_username_id "; $rsMember = $this->db->fetch_first($db_sql); $rsMember['userid'] = $this->ec_member_username_id; $rsMember['rankname'] = $this->get_member_purview($rsMember['mcid'], 'rankname'); $userid = intval($rsMember['userid']); if (empty($userid)) { exit('user err!'); } ..
繼續跟蹤一下uid的處理方式
/public/class_connector.php
function member_purview($userrank = false, $url = null, $upurl = false) { $this->ec_member_username = $this->fun->eccode($this->fun->accept('ecisp_member_username', 'C'), 'DECODE', db_pscode); if (!preg_match("/^[^!@~`\'\"#\$\%\^&\*\(\)\+\-\{\}\[\]\|\\/\?\<\>\,\.\:\;]{2,30}$/i", $this->ec_member_username) && !empty($this->ec_member_username)) { $this->fun->setcookie('ecisp_member_username', false); $this->fun->setcookie('ecisp_member_info', false); $linkURL = $this->get_link('memberlogin', array(), admin_LNG); header('location:' . $linkURL); exit(); } //使用者名稱是取了cookie的值可以控制 $user_info = explode('|', $this->fun->eccode($this->fun->accept('ecisp_member_info', 'C'), 'DECODE', db_pscode)); list($ec_member_username_id, $this->ec_member_alias, $ec_member_integral, $ec_member_mcid, $this->ec_member_email, $this->ec_member_lastip, $this->ec_member_ipadd, $this->ec_member_useragent, $this->ec_member_adminclassurl) = $user_info; //黑客利用intvul實現"截斷注入"的效果,通過傳送一個例如"test4"的賬戶名,被截斷後得到4,黑客利用該特點實現任意使用者登入 $this->ec_member_username_id = intval($ec_member_username_id); $this->ec_member_integral = intval($ec_member_integral); $this->ec_member_mcid = intval($ec_member_mcid); if (empty($this->ec_member_username) && empty($this->ec_member_username_id) && md5(admin_AGENT) != $this->ec_member_useragent && md5(admin_ClassURL) != $this->ec_member_adminclassurl) { $this->condition = 0; if ($url) { $this->fun->setcookie('ecisp_login_link', $url, 3600); } elseif ($upurl) { $nowurl = 'http://' . $_SERVER["HTTP_HOST"] . $this->fun->request_url(); $this->fun->setcookie('ecisp_login_link', $nowurl, 3600); } $linkURL = $this->get_link('memberlogin', array(), admin_LNG); $mlink = $this->memberlink(array(), admin_LNG); $this->callmessage($this->lng['memberloginerr'], $linkURL, $this->lng['memberlogin'], 1, $this->lng['member_regbotton'], 1, $mlink['reg']); } else { $this->condition = 1; if ($this->ec_member_mcid < $userrank && $userrank) { $linkURL = $this->get_link('memberlogin', array(), admin_LNG); $this->callmessage($this->lng['memberpuverr'], $linkURL, $this->lng['gobackurlbotton']); } } return $this->condition; }
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2015-0142913
5. 防禦方法
/public/class_connector.php
function member_purview($userrank = false, $url = null, $upurl = false) { $this->ec_member_username = $this->fun->eccode($this->fun->accept('ecisp_member_username', 'C'), 'DECODE', db_pscode); if (!preg_match("/^[^!@~`\'\"#\$\%\^&\*\(\)\+\-\{\}\[\]\|\\/\?\<\>\,\.\:\;]{2,30}$/i", $this->ec_member_username) && !empty($this->ec_member_username)) { $this->fun->setcookie('ecisp_member_username', false); $this->fun->setcookie('ecisp_member_info', false); $linkURL = $this->get_link('memberlogin', array(), admin_LNG); header('location:' . $linkURL); exit(); } //使用者名稱是取了cookie的值可以控制 $user_info = explode('|', $this->fun->eccode($this->fun->accept('ecisp_member_info', 'C'), 'DECODE', db_pscode)); list($ec_member_username_id, $this->ec_member_alias, $ec_member_integral, $ec_member_mcid, $this->ec_member_email, $this->ec_member_lastip, $this->ec_member_ipadd, $this->ec_member_useragent, $this->ec_member_adminclassurl) = $user_info; /**/ if (is_numeric($ec_member_username_id) == FALSE) { die("request error"); } /**/ //黑客利用intvul實現"截斷注入"的效果,通過傳送一個例如"test4"的賬戶名,被截斷後得到4,黑客利用該特點實現任意使用者登入 $this->ec_member_username_id = intval($ec_member_username_id); $this->ec_member_integral = intval($ec_member_integral); $this->ec_member_mcid = intval($ec_member_mcid); ...
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved