Dedecms惨遭入侵,用户随意登录!

摘要

黑客通过代码实现前台任意用户登录,破坏了网站的安全。这种行为是极其不道德的,应该受到法律的制裁。

正文

【摘要】##前台任意用户户登录global$dsql;if($kp?me==-1){$this->M_KeepTime=3600*24*7;}else{$this->M_KeepTime=$kp?me;}$formcache=FAL…

##前台任意用户户登录

global $dsql;if($kp?me==-1){$this->M_KeepTime = 3600 * 24 * 7;}else{$this->M_KeepTime = $kp?me;}$formcache = FALSE;$this->M_ID = $this->GetNum(GetCookie(“DedeUserID”));$this->M_LoginTime = GetCookie(“DedeLoginTime”);$this->fields = array();$this->isAdmin = FALSE;if(empty($this->M_ID)){$this->ResetUser();1}else{$this->M_ID = intval($this->M_ID);if ($cache){$this->fields = GetCache($this->memberCache, $this->M_ID);if( empty($this->fields) ){$this->fields = $dsql->GetOne(“Select * From `#@__member` wheremid='{$this->M_ID}’ “);} else {$formcache = TRUE;}} else {$this->fields = $dsql->GetOne(“Select * From `#@__member` wheremid='{$this->M_ID}’ “);}if(is_array($this->fields)){#api{{if(defined(‘UC_API’) && @include_once DEDEROOT.’/uc_client/client.php’)2{if($data = uc_get_user($this->fields[‘userid’])){if(uc_check_avatar($data[0]) && !strstr($this->fields[‘face’],UC_API)){$this->fields[‘face’] = UC_API.’/avatar.php?uid=’.$data[0].’&size=middle’;$dsql->ExecuteNoneQuery(“UPDATE `#@__member` SET`face`='”.$this->fields[‘face’].”‘ WHERE `mid`='{$this->M_ID}'”);}}}#/aip}}//间隔⼀⼩时更新⼀次⽤户登录时间if(?me() – $this->M_LoginTime > 3600){$dsql->ExecuteNoneQuery(“update `#@__member` setlogin?me='”.?me().”‘,loginip='”.GetIP().”‘ where mid='”.$this->fields[‘mid’].”‘;”);PutCookie(“DedeLoginTime”,?me(),$this->M_KeepTime);}我们⾸先跟⼊GETCookie对userid的操作

func?on GetCookie($key){global $cfg_cookie_encode;if( !isset($_COOKIE[$key]) || !isset($_COOKIE[$key.’__ckMd5′]) ){return ”;}else{if($_COOKIE[$key.’__ckMd5′]!=substr(md5($cfg_cookie_encode.$_COOKIE[$key]),0,16)){return ”;}else{return $_COOKIE[$key];}}可以看⻅就是⼀个cookie获取的操作但是在中间还存在⼀次通过keyMD5后的⽐较防⽌伪造cookie的安全操作,我们接着看return出来后的getnumfunc?on GetNum($fnum){$fnum = preg_replace(“/[^0-9\.]/”, ”, $fnum);return $fnum;}相当于声明类型只不过使⽤preg以正则的⽅式来限制

$this->M_ID = intval($this->M_ID);if ($cache){$this->fields = GetCache($this->memberCache, $this->M_ID);if( empty($this->fields) ){$this->fields = $dsql->GetOne(“Select * From `#@__member` wheremid='{$this->M_ID}’ “);} else {$formcache = TRUE;5}} else {$this->fields = $dsql->GetOne(“Select * From `#@__member` wheremid='{$this->M_ID}’ “);}接着通过获取的userid进⾏数据库查询当查询出内容⾮空的时候则进⾏下⾯的操作,这⾥dede只简单对⽤户id是否存在于数据库进⾏了⼀个简单的查询并未做其它的效验操作$this->M_LoginID = $this->fields[‘userid’];$this->M_MbType = $this->fields[‘mtype’];$this->M_Money = $this->fields[‘money’];$this->M_UserName = FormatUsername($this->fields[‘uname’]);$this->M_Scores = $this->fields[‘scores’];$this->M_Face = $this->fields[‘face’];$this->M_Rank = $this->fields[‘rank’];$this->M_Spacesta = $this->fields[‘spacesta’];$sql = “Select ?tles From #@__scores where integral<={$this->fields[‘scores’]} order by integral desc”;$scrow = $dsql->GetOne($sql);$this->fields[‘honor’] = $scrow[‘?tles’];$this->M_Honor = $this->fields[‘honor’];6if($this->fields[‘ma?’]==10) $this->isAdmin = TRUE;$this->M_UpTime = $this->fields[‘up?me’];$this->M_ExpTime = $this->fields[‘exp?me’];$this->M_JoinTime = MyDate(‘Y-m-d’,$this->fields[‘join?me’]);if($this->M_Rank>10 && $this->M_UpTime>0){$this->M_HasDay = $this->Judgemember();完后将userid查询出的⽤户信息赋值于对应的变量所以这⾥确定前台任意登录的隐患但是因为在cookie获取的过程中有⼀个通过key md5后的效验导致利⽤困难但是在$last_v?me = GetCookie(‘last_v?me’);$last_vid = GetCookie(‘last_vid’);if(empty($last_v?me)){$last_v?me = 0;}if($v?me – $last_v?me > 3600 || !preg_match(‘#,’.$uid.’,#i’, ‘,’.$last_vid.’,’) ){if($last_vid!=”){$last_vids = explode(‘,’,$last_vid);7$i = 0;$last_vid = $uid;foreach($last_vids as $lsid){if($i>10){break;}else if($lsid != $uid){$i++;$last_vid .= ‘,’.$last_vid;}}}else{$last_vid = $uid;}通过getcokie获取last_vid但因为我们不知道key所以没办法伪造内容导致return返回空所以⽆法进⾏下⾯的操作但是在esle中发现会将uid的值赋值于last_idPutCookie(‘last_vid’, $last_vid, 3600*24, ‘/’);并且在下⾯直接就进⾏了putcookie,我们现在需要确认uid是否有做效验或类型声明的操作$uid=empty($uid)? “” : RemoveXSS($uid);if(empty($ac?on)) $ac?on = ”;if(empty($aid)) $aid = ”;可以看⻅uid并未进⾏什么操作只单纯对xss进⾏防护但是在下⾯有通过uid进⾏数据库查询但因为uid是uname标识所以办法直接伪造!

关注不迷路

扫码下方二维码,关注宇凡盒子公众号,免费获取最新技术内幕!

温馨提示:如果您访问和下载本站资源,表示您已同意只将下载文件用于研究、学习而非其他用途。
文章版权声明 1、本网站名称:宇凡盒子
2、本站文章未经许可,禁止转载!
3、如果文章内容介绍中无特别注明,本网站压缩包解压需要密码统一是:yufanbox.com
4、本站仅供资源信息交流学习,不保证资源的可用及完整性,不提供安装使用及技术服务。点此了解
5、如果您发现本站分享的资源侵犯了您的权益,请及时通知我们,我们会在接到通知后及时处理!提交入口
0

评论0

请先

站点公告

🚀 【宇凡盒子】全网资源库转储中心

👉 注册即送VIP权限👈

👻 全站资源免费下载✅,欢迎注册!

记得 【收藏】+【关注】 谢谢!~~~

立即注册
没有账号?注册  忘记密码?

社交账号快速登录