DuomiCms
根据观察,管理用户界面是admin.php,于是打开
require_once(dirname(__FILE__).'/../duomiphp/common.php');
require_once(duomi_INC."/check.admin.php");
if(empty($dopost))
{
$dopost = '';
}
//检测安装目录安全性
if( is_dir(dirname(__FILE__).'/../install') )
{
if(!file_exists(dirname(__FILE__).'/../install/install_lock.txt') )
{
$fp = fopen(dirname(__FILE__).'/../install/install_lock.txt', 'w') or die('安装目录无写入权限,无法进行写入锁定文件,请安装完毕删除安装目录!');
fwrite($fp,'ok');
fclose($fp);
}
//为了防止未知安全性问题,强制禁用安装程序的文件
if( file_exists("../install/index.php") ) {
@rename("../install/index.php", "../install/index.php.bak");
}
}
//检测后台目录是否更名
$cururl = GetCurUrl();
if(m_eregi('/admin/login',$cururl))
{
$redmsg = '后台默认路径/admin建议及时修改,修改后会更安全!';
}
else
{
$redmsg = '';
}
//登录检测
$admindirs = explode('/',str_replace("\\",'/',dirname(__FILE__)));
$admindir = $admindirs[count($admindirs)-1];
if($dopost=='login')
{
$validate = empty($validate) ? '' : strtolower(trim($validate));
$svali = strtolower(GetCkVdValue());
if($validate=='' || $validate != $svali)
{
ResetVdValue();
ShowMsg('验证码不正确!','-1');
exit();
}
else
{
$cuserLogin = new userLogin($admindir);
if(!empty($userid) && !empty($pwd))
{
$res = $cuserLogin->checkUser($userid,$pwd);
//success
if($res==1)
{
$cuserLogin->keepUser();
if(!empty($gotopage))
{
ShowMsg('成功登录,正在转向管理管理主页!',$gotopage);
exit();
}
else
{
ShowMsg('成功登录,正在转向管理管理主页!',"index.php");
exit();
}
}
//error
else if($res==-1)
{
ShowMsg('你的用户名不存在!','-1');
exit();
}
else
{
ShowMsg('你的密码错误!','-1');
exit();
}
}
//password empty
else
{
ShowMsg('用户和密码没填写完整!','-1');
exit();
}
}
}
include('html/login.htm');
?>
发现要进入管理,则需要$res==1,
再查看包含的文件/check.admin.php
if(!defined('duomi_INC'))
{
exit("Request Error!");
}
session_start();
function CheckPurview()
{
if($GLOBALS['cuserLogin']->getUserRank()<>1)
{
ShowMsg("对不起,你没有权限执行此操作!
点击此返回上一页>>",'javascript:;');
exit();
}
}
$admincachefile = duomi_DATA.'/admin_'.cn_substr(md5($cfg_cookie_encode),24).'.php';
if(!file_exists($admincachefile))
{
$fp = fopen($admincachefile,'w');
fwrite($fp,'<'.'?php $admin_path ='." ''; ?".'>');
fclose($fp);
}
require_once($admincachefile);
class userLogin
{
var $userName = '';
var $userPwd = '';
var $userID = '';
var $adminDir = '';
var $groupid = '';
var $keepUserIDTag = "duomi_admin_id";
var $keepgroupidTag = "duomi_group_id";
var $keepUserNameTag = "duomi_admin_name";
//php5构造函数
function __construct($admindir='')
{
global $admin_path;
if(isset($_SESSION[$this->keepUserIDTag]))
{
$this->userID = $_SESSION[$this->keepUserIDTag];
$this->groupid = $_SESSION[$this->keepgroupidTag];
$this->userName = $_SESSION[$this->keepUserNameTag];
}
if($admindir!='')
{
$this->adminDir = $admindir;
}
else
{
$this->adminDir = $admin_path;
}
}
function userLogin($admindir='')
{
$this->__construct($admindir);
}
//检验用户是否正确
function checkUser($username,$userpwd)
{
global $dsql;
//只允许用户名和密码用0-9,a-z,A-Z,'@','_','.','-'这些字符
$this->userName = m_ereg_replace("[^0-9a-zA-Z_@!\.-]",'',$username);
$this->userPwd = m_ereg_replace("[^0-9a-zA-Z_@!\.-]",'',$userpwd);
$pwd = substr(md5($this->userPwd),5,20);
$dsql->SetQuery("Select * From `duomi_admin` where name like '".$this->userName."' and state='1' limit 0,1");
$dsql->Execute();
$row = $dsql->GetObject();
if(!isset($row->password))
{
return -1;
}
else if($pwd!=$row->password)
{
return -2;
}
else
{
$loginip = GetIP();
$this->userID = $row->id;
$this->groupid = $row->groupid;
$this->userName = $row->name;
$inquery = "update `duomi_admin` set loginip='$loginip',logintime='".time()."' where id='".$row->id."'";
$dsql->ExecuteNoneQuery($inquery);
return 1;
}
}
//保持用户的会话状态
//成功返回 1 ,失败返回 -1
function keepUser()
{
if($this->userID!=""&&$this->groupid!="")
{
global $admincachefile;
$_SESSION[$this->keepUserIDTag] = $this->userID;
$_SESSION[$this->keepgroupidTag] = $this->groupid;
$_SESSION[$this->keepUserNameTag] = $this->userName;
$fp = fopen($admincachefile,'w');
fwrite($fp,'<'.'?php $admin_path ='." '{$this->adminDir}'; ?".'>');
fclose($fp);
return 1;
}
else
{
return -1;
}
}
//结束用户的会话状态
function exitUser()
{
$_SESSION[$this->keepUserIDTag] = '';
$_SESSION[$this->keepgroupidTag] = '';
$_SESSION[$this->keepUserNameTag] = '';
}
//获得用户的权限值
function getgroupid()
{
if($this->groupid!='')
{
return $this->groupid;
}
else
{
return -1;
}
}
function getUserRank()
{
return $this->getgroupid();
}
//获得用户的ID
function getUserID()
{
if($this->userID!='')
{
return $this->userID;
}
else
{
return -1;
}
}
//获得用户名
function getUserName()
{
if($this->userName!='')
{
return $this->userName;
}
else
{
return -1;
}
}
}
在中间发现了session(在计算机上操作某个应用程序时,您打开它,做些更改,然后关闭它。这很像一次对话(Session)。计算机知道您是谁。它清楚您在何时打开和关闭应用程序。然而,在因特网上问题出现了:由于 HTTP 地址无法保持状态,Web 服务器并不知道您是谁以及您做了什么。session 解决了这个问题,它通过在服务器上存储用户信息以便随后使用(比如用户名称、购买商品等)。然而,会话信息是临时的,在用户离开网站后将被删除。如果您需要永久存储信息,可以把数据存储在数据库中。
Session 的工作机制是:为每个访客创建一个唯一的 id (UID),并基于这个 UID 来存储变量。UID 存储在 cookie 中,或者通过 URL 进行传导)
在admin_manager.php中,观察到进入管理权限的条件
于是我们伪造$_SESSION,根据前面定义的类,判断赋值duomi_admin_id=1,duomi_group_id=1,duomi_admin_name=admin,及
_SESSION[duomi_admin_id]=1&_SESSION[duomi_group_id]=1&_SESSION[duomi_admin_name]=admin
找到一个变量覆盖漏洞,不论哪个页面,只要有变量覆盖漏洞,我们能写入$_SESSION,那么就能对整个站生效。然后进入管理界面
