espcms /public/class_connector.php intval truncation Vul Arbitrary User Login

catalog

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

 

1. 漏洞描述

Relevant Link:
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析

/interface/memebermain.php

function in_center() 
{
    if ($this->CON['mem_isucenter']) 
    {
        include_once admin_ROOT . 'public/uc_client/client.php';
    }
    parent::start_pagetemplate();
    parent::member_purview();
    $lng = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG;
    //espcms验证用户信息的都是采用cookie验证uid的，只要可以伪造就可以任意登录
    $db_where = "userid=$this->ec_member_username_id AND username='$this->ec_member_username' ";
    $db_table1 = db_prefix . 'member AS a';
    $db_table2 = db_prefix . 'member_value AS b';
    $db_sql = "SELECT * FROM $db_table1 LEFT JOIN $db_table2 ON a.userid = b.userid  WHERE a.userid = $this->ec_member_username_id ";
    $rsMember = $this->db->fetch_first($db_sql);
    $rsMember['userid'] = $this->ec_member_username_id;

    $rsMember['rankname'] = $this->get_member_purview($rsMember['mcid'], 'rankname');
    $userid = intval($rsMember['userid']);
    if (empty($userid)) {
        exit('user err!');
    }
    ..

继续跟踪一下uid的处理方式
/public/class_connector.php

function member_purview($userrank = false, $url = null, $upurl = false) 
{
    $this->ec_member_username = $this->fun->eccode($this->fun->accept('ecisp_member_username', 'C'), 'DECODE', db_pscode);
    if (!preg_match("/^[^!@~`\'\"#\$\%\^&\*\(\)\+\-\{\}\[\]\|\\/\?\<\>\,\.\:\;]{2,30}$/i", $this->ec_member_username) && !empty($this->ec_member_username)) {
        $this->fun->setcookie('ecisp_member_username', false);
        $this->fun->setcookie('ecisp_member_info', false);
        $linkURL = $this->get_link('memberlogin', array(), admin_LNG);
        header('location:' . $linkURL);
        exit();
    }
    //用户名是取了cookie的值可以控制
    $user_info = explode('|', $this->fun->eccode($this->fun->accept('ecisp_member_info', 'C'), 'DECODE', db_pscode));
    list($ec_member_username_id, $this->ec_member_alias, $ec_member_integral, $ec_member_mcid, $this->ec_member_email, $this->ec_member_lastip, $this->ec_member_ipadd, $this->ec_member_useragent, $this->ec_member_adminclassurl) = $user_info;
     
    //黑客利用intvul实现"截断注入"的效果，通过发送一个例如"test4"的账户名，被截断后得到4，黑客利用该特点实现任意用户登录
    $this->ec_member_username_id = intval($ec_member_username_id);
    $this->ec_member_integral = intval($ec_member_integral);
    $this->ec_member_mcid = intval($ec_member_mcid);
    if (empty($this->ec_member_username) && empty($this->ec_member_username_id) && md5(admin_AGENT) != $this->ec_member_useragent && md5(admin_ClassURL) != $this->ec_member_adminclassurl) {
        $this->condition = 0;
        if ($url) {
            $this->fun->setcookie('ecisp_login_link', $url, 3600);
        } elseif ($upurl) {
            $nowurl = 'http://' . $_SERVER["HTTP_HOST"] . $this->fun->request_url();
            $this->fun->setcookie('ecisp_login_link', $nowurl, 3600);
        }
        $linkURL = $this->get_link('memberlogin', array(), admin_LNG);
        $mlink = $this->memberlink(array(), admin_LNG);
        $this->callmessage($this->lng['memberloginerr'], $linkURL, $this->lng['memberlogin'], 1, $this->lng['member_regbotton'], 1, $mlink['reg']);
    } else {
        $this->condition = 1;
        if ($this->ec_member_mcid < $userrank && $userrank) {
            $linkURL = $this->get_link('memberlogin', array(), admin_LNG);
            $this->callmessage($this->lng['memberpuverr'], $linkURL, $this->lng['gobackurlbotton']);
        }
    }
    return $this->condition;
}

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2015-0142913 

5. 防御方法

/public/class_connector.php

function member_purview($userrank = false, $url = null, $upurl = false) 
{
    $this->ec_member_username = $this->fun->eccode($this->fun->accept('ecisp_member_username', 'C'), 'DECODE', db_pscode);
    if (!preg_match("/^[^!@~`\'\"#\$\%\^&\*\(\)\+\-\{\}\[\]\|\\/\?\<\>\,\.\:\;]{2,30}$/i", $this->ec_member_username) && !empty($this->ec_member_username)) {
        $this->fun->setcookie('ecisp_member_username', false);
        $this->fun->setcookie('ecisp_member_info', false);
        $linkURL = $this->get_link('memberlogin', array(), admin_LNG);
        header('location:' . $linkURL);
        exit();
    }
    //用户名是取了cookie的值可以控制
    $user_info = explode('|', $this->fun->eccode($this->fun->accept('ecisp_member_info', 'C'), 'DECODE', db_pscode));
    list($ec_member_username_id, $this->ec_member_alias, $ec_member_integral, $ec_member_mcid, $this->ec_member_email, $this->ec_member_lastip, $this->ec_member_ipadd, $this->ec_member_useragent, $this->ec_member_adminclassurl) = $user_info;
    /**/
    if (is_numeric($ec_member_username_id) == FALSE) 
    {
        die("request error");
    } 
    /**/
    //黑客利用intvul实现"截断注入"的效果，通过发送一个例如"test4"的账户名，被截断后得到4，黑客利用该特点实现任意用户登录
    $this->ec_member_username_id = intval($ec_member_username_id);
    $this->ec_member_integral = intval($ec_member_integral);
    $this->ec_member_mcid = intval($ec_member_mcid);
    ...

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved