【最新漏洞】Dedecms任意用户登录

【摘要】##前台任意用户户登录global$dsql;if($kp?me==-1){$this->M_KeepTime=3600*24*7;}else{$this->M_KeepTime=$kp?me;}$formcache=FAL...

##前台任意用户户登录

global $dsql;
if($kp?me==-1){
$this->M_KeepTime = 3600 * 24 * 7;
}else{
$this->M_KeepTime = $kp?me;
}
$formcache = FALSE;
$this->M_ID = $this->GetNum(GetCookie("DedeUserID"));
$this->M_LoginTime = GetCookie("DedeLoginTime");
$this->fields = array();
$this->isAdmin = FALSE;
if(empty($this->M_ID))
{
$this->ResetUser();
1
}else{
$this->M_ID = intval($this->M_ID);
if ($cache)
{
$this->fields = GetCache($this->memberCache, $this->M_ID);
if( empty($this->fields) )
{
$this->fields = $dsql->GetOne("Select * From `#@__member` where
mid='{$this->M_ID}' ");
} else {
$formcache = TRUE;
}
} else {
$this->fields = $dsql->GetOne("Select * From `#@__member` where
mid='{$this->M_ID}' ");
}
if(is_array($this->fields)){
#api{{
if(defined('UC_API') && @include_once DEDEROOT.'/uc_client/
client.php')
2
{
if($data = uc_get_user($this->fields['userid']))
{
if(uc_check_avatar($data[0]) && !strstr($this->fields['face'],UC_API))
{
$this->fields['face'] = UC_API.'/avatar.php?uid='.
$data[0].'&size=middle';
$dsql->ExecuteNoneQuery("UPDATE `#@__member` SET
`face`='".$this->fields['face']."' WHERE `mid`='{$this->M_ID}'");
}
}
}
#/aip}}
//间隔⼀⼩时更新⼀次⽤户登录时间
if(?me() - $this->M_LoginTime > 3600)
{
$dsql->ExecuteNoneQuery("update `#@__member` set
login?me='".?me()."',loginip='".GetIP()."' where mid='".$this->fields['mid']."';");
PutCookie("DedeLoginTime",?me(),$this->M_KeepTime);
}
我们⾸先跟⼊GETCookie对userid的操作

func?on GetCookie($key)
{
global $cfg_cookie_encode;
if( !isset($_COOKIE[$key]) || !isset($_COOKIE[$key.'__ckMd5']) )
{
return '';
}
else
{
if($_COOKIE[$key.'__ckMd5']!=substr(md5($cfg_cookie_encode.
$_COOKIE[$key]),0,16))
{
return '';
}
else
{
return $_COOKIE[$key];
}
}
可以看⻅就是⼀个cookie获取的操作但是在中间还存在⼀次通过keyMD5后的⽐较
防⽌伪造cookie的安全操作,我们接着看return出来后的getnum
func?on GetNum($fnum){
$fnum = preg_replace("/[^0-9\.]/", '', $fnum);
return $fnum;
}
相当于声明类型只不过使⽤preg以正则的⽅式来限制

$this->M_ID = intval($this->M_ID);
if ($cache)
{
$this->fields = GetCache($this->memberCache, $this->M_ID);
if( empty($this->fields) )
{
$this->fields = $dsql->GetOne("Select * From `#@__member` where
mid='{$this->M_ID}' ");
} else {
$formcache = TRUE;
5
}
} else {
$this->fields = $dsql->GetOne("Select * From `#@__member` where
mid='{$this->M_ID}' ");
}
接着通过获取的userid进⾏数据库查询当查询出内容⾮空的时候则进⾏下⾯的操
作,这⾥dede只简单对⽤户id是否存在于数据库进⾏了⼀个简单的查询并未做其它
的效验操作
$this->M_LoginID = $this->fields['userid'];
$this->M_MbType = $this->fields['mtype'];
$this->M_Money = $this->fields['money'];
$this->M_UserName = FormatUsername($this->fields['uname']);
$this->M_Scores = $this->fields['scores'];
$this->M_Face = $this->fields['face'];
$this->M_Rank = $this->fields['rank'];
$this->M_Spacesta = $this->fields['spacesta'];
$sql = "Select ?tles From #@__scores where integral<={$this-
>fields['scores']} order by integral desc";
$scrow = $dsql->GetOne($sql);
$this->fields['honor'] = $scrow['?tles'];
$this->M_Honor = $this->fields['honor'];
6
if($this->fields['ma?']==10) $this->isAdmin = TRUE;
$this->M_UpTime = $this->fields['up?me'];
$this->M_ExpTime = $this->fields['exp?me'];
$this->M_JoinTime = MyDate('Y-m-d',$this->fields['join?me']);
if($this->M_Rank>10 && $this->M_UpTime>0){
$this->M_HasDay = $this->Judgemember();
完后将userid查询出的⽤户信息赋值于对应的变量所以这⾥确定前台任意登录的隐
患但是因为在cookie获取的过程中有⼀个通过key md5后的效验导致利⽤困难但是

$last_v?me = GetCookie('last_v?me');
$last_vid = GetCookie('last_vid');
if(empty($last_v?me))
{
$last_v?me = 0;
}
if($v?me - $last_v?me > 3600 || !preg_match('#,'.$uid.',#i', ','.$last_vid.',') )
{
if($last_vid!='')
{
$last_vids = explode(',',$last_vid);
7
$i = 0;
$last_vid = $uid;
foreach($last_vids as $lsid)
{
if($i>10)
{
break;
}
else if($lsid != $uid)
{
$i++;
$last_vid .= ','.$last_vid;
}
}
}
else
{
$last_vid = $uid;
}
通过getcokie获取last_vid但因为我们不知道key所以没办法伪造内容导致return返
回空所以⽆法进⾏下⾯的操作但是在esle中发现会将uid的值赋值于last_id

PutCookie(‘last_vid’, $last_vid, 3600*24, ‘/’);
并且在下⾯直接就进⾏了putcookie,我们现在需要确认uid是否有做效验或类型声
明的操作
$uid=empty($uid)? "" : RemoveXSS($uid);
if(empty($ac?on)) $ac?on = '';
if(empty($aid)) $aid = '';
可以看⻅uid并未进⾏什么操作只单纯对xss进⾏防护但是在下⾯有通过uid进⾏数
据库查询但因为uid是uname标识所以办法直接伪造!

 小东
 简介:专业团队网站开发、安全运维,合作意向请联系!

扫码关注微信公众号:ITDYBOY,学前端,学安全,从0到1,从1到精通!

扫码关注微信公众号:ITDYBOY

发表评论

游客
送你一朵小花花~

帅人已评(10)