作者:leee | 来源:互联网 | 2017-11-11 23:17
前不久80vul.com公布了sax2.0的一个漏洞,随后4ngel发布了补丁,不过权限验证部分的代码还是存在问题,下面就来简单说说这个漏洞:Dcp.phpif(!$sax_uid||!$sax_pw||!$sax_logincount||!$sax_hash){只要这个条件不满足,就可以通过后台的权限验证了
前不久80vul.com公布了sax2.0的一个漏洞,随后4ngel发布了补丁,不过权限验证部分的代码还是存在问题,下面就来简单说说这个漏洞:D
cp.php
- if (!$sax_uid || !$sax_pw || !$sax_logincount || !$sax_hash) {
-
- loginpage();
- }
- ...
- if ($sax_group == 1) {
-
- ...
下面来看下这几个变量是怎么来的
common.inc.php
- list($sax_uid, $sax_pw, $sax_logincount) = $_COOKIE[\'sax_auth\'] ? explode("t", authcode($_COOKIE[\'sax_auth\'], \'DECODE\')) : array(\'\', \'\', \'\');
-
- $sax_hash = sax_addslashes($_COOKIE[\'sax_hash\']);
-
-
-
- $sax_uid = intval($sax_uid);
- $sax_pw = sax_addslashes($sax_pw);
- $sax_logincount = intval($sax_logincount);
- $sax_group = 4;
-
- $_EVO = array();
-
-
- $seccode = $sessionexists = 0;
- $userfields = \'u.userid AS sax_uid, u.username AS sax_user, u.password AS sax_pw, u.groupid AS sax_group, u.logincount AS sax_logincount, u.email as sax_email, u.url as sax_url, u.lastpost, u.lastip, u.lastvisit, u.lastactivity\';
-
- if ($sax_hash) {
- if ($sax_uid && $sax_pw) {
-
-
- $query = $DB->query("SELECT s.hash, s.seccode, $userfields
- FROM {$db_prefix}users u
- LEFT JOIN {$db_prefix}sessions s ON (s.uid = u.userid)
- WHERE s.hash=\'$sax_hash\' AND u.userid=\'$sax_uid\' AND CONCAT_WS(\'.\',s.ip1,s.ip2,s.ip3,s.ip4)=\'$onlineip\'
- AND u.password=\'$sax_pw\' AND u.logincount=\'$sax_logincount\' AND s.auth_key=\'$sax_auth_key\'");
- } else {
- $query = $DB->query("SELECT hash,uid as sessionuid,groupid,seccode,lastactivity FROM {$db_prefix}sessions WHERE hash=\'$sax_hash\' AND CONCAT_WS(\'.\',ip1,ip2,ip3,ip4)=\'$onlineip\' LIMIT 1");
-
-
- }
- if ($_EVO = $DB->fetch_array($query)){
- $sessionexists = 1;
- if