### 简要描述: 易思ESPCMS某处设计缺陷(验证过弱)可登录任意用户账号 ### 详细说明: 易思ESPCMS cookie存在设计缺陷 我看下cookie都有哪些参数 ``` ecisp_home_seccode ecisp_member_username ecisp_member_info ``` ``` function member_cookieview($keyword = false) { $retrunstr = array(); $retrunstr['username'] = $this->fun->eccode($this->fun->accept('ecisp_member_username', 'C'), 'DECODE', db_pscode); $user_info = explode('|', $this->fun->eccode($this->fun->accept('ecisp_member_info', 'C'), 'DECODE', db_pscode)); list($retrunstr['userid'], $retrunstr['alias'], $retrunstr['integral'], $retrunstr['mcid'], $retrunstr['email'], $retrunstr['lastip'], $retrunstr['ipadd'], $retrunstr['useragent'], $retrunstr['adminclassurl']) = $user_info; $retrunstr['userid'] = intval($retrunstr['userid']); $retrunstr['integral'] = intval($retrunstr['integral']); $retrunstr['mcid'] = intval($retrunstr['mcid']); return !$keyword ? $retrunstr : $retrunstr[$keyword]; } ``` ``` function in_center() { if ($this->CON['mem_isucenter']) { include_once admin_ROOT ....
### 简要描述: 易思ESPCMS某处设计缺陷(验证过弱)可登录任意用户账号 ### 详细说明: 易思ESPCMS cookie存在设计缺陷 我看下cookie都有哪些参数 ``` ecisp_home_seccode ecisp_member_username ecisp_member_info ``` ``` function member_cookieview($keyword = false) { $retrunstr = array(); $retrunstr['username'] = $this->fun->eccode($this->fun->accept('ecisp_member_username', 'C'), 'DECODE', db_pscode); $user_info = explode('|', $this->fun->eccode($this->fun->accept('ecisp_member_info', 'C'), 'DECODE', db_pscode)); list($retrunstr['userid'], $retrunstr['alias'], $retrunstr['integral'], $retrunstr['mcid'], $retrunstr['email'], $retrunstr['lastip'], $retrunstr['ipadd'], $retrunstr['useragent'], $retrunstr['adminclassurl']) = $user_info; $retrunstr['userid'] = intval($retrunstr['userid']); $retrunstr['integral'] = intval($retrunstr['integral']); $retrunstr['mcid'] = intval($retrunstr['mcid']); return !$keyword ? $retrunstr : $retrunstr[$keyword]; } ``` ``` function in_center() { if ($this->CON['mem_isucenter']) { include_once admin_ROOT . 'public/uc_client/client.php'; } parent::start_pagetemplate(); parent::member_purview(); $lng = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG; $db_where = "userid=$this->ec_member_username_id AND username='$this->ec_member_username' "; echo $db_where; $db_table1 = db_prefix . 'member AS a'; $db_table2 = db_prefix . 'member_value AS b'; $db_sql = "SELECT * FROM $db_table1 LEFT JOIN $db_table2 ON a.userid = b.userid WHERE a.userid = $this->ec_member_username_id "; $rsMember = $this->db->fetch_first($db_sql); $rsMember['userid'] = $this->ec_member_username_id; $rsMember['rankname'] = $this->get_member_purview($rsMember['mcid'], 'rankname'); $userid = intval($rsMember['userid']); if (empty($userid)) { exit('user err!'); } $db_table = db_prefix . "order"; $db_where = " WHERE userid=$userid"; $db_where2 = " WHERE userid=$userid and ordertype=1"; $db_where3 = " WHERE userid=$userid and ordertype=3"; $this->pagetemplate->assign('ordernum', $this->db_numrows($db_table, $db_where)); $this->pagetemplate->assign('ordernum2', $this->db_numrows($db_table, $db_where2)); $this->pagetemplate->assign('ordernum3', $this->db_numrows($db_table, $db_where3)); $db_table = db_prefix . "bbs"; $db_where = " WHERE userid=$userid"; $this->pagetemplate->assign('messagenum', $this->db_numrows($db_table, $db_where)); $templatesDIR = $this->get_templatesdir('member'); $templatefilename = $lng . '/' . $templatesDIR . '/member_center'; $this->pagetemplate->assign('out', 'center'); $this->pagetemplate->assign('mlink', $this->mlink); $this->pagetemplate->assign('member', $rsMember); $this->pagetemplate->assign('path', 'member'); unset($rsMember, $mlink, $LANPACK, $this->lng); $this->pagetemplate->display($templatefilename, 'center', false, null, admin_LNG); } ``` ecisp_member_info的构成: ``` $this->fun->setcookie('ecisp_member_info', $this->fun->eccode("500|$rsMember[alias]|$rsMember[integral]|$rsMember[mcid]|$rsMember[email]|$rsMember[lastip]|$ipadd|" . md5($_SERVER['HTTP_USER_AGENT']) . '|' . md5(admin_ClassURL), 'ENCODE', db_pscode)); ``` 从代码中可以看出验证用户真正用到的是userid 也就是说cookie中ecisp_member_info真正起到作用的是userid部分 userid只占用了cookie ecisp_member_info字符串中很少的字符 而这一部分字符才是起到作用的,其他的无关紧要,这样的验证是不是很弱呢? 那我们是不是可以去爆破它呢? 我们拿官方演示站来做一下演示: ### 漏洞证明: [<img src="https://images.seebug.org/upload/201312/15160359006c060706115bbd95c2367cd8f9457c.jpg" alt="QQ截图20131215155548.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/15160359006c060706115bbd95c2367cd8f9457c.jpg) [<img src="https://images.seebug.org/upload/201312/15160433e926725d3650533cd402d79c6e2ca526.jpg" alt="QQ截图20131215155608.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/15160433e926725d3650533cd402d79c6e2ca526.jpg) [<img src="https://images.seebug.org/upload/201312/15160507cc4815633fe2e2f9b9344f70fd446ac3.jpg" alt="QQ截图20131215155932.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/15160507cc4815633fe2e2f9b9344f70fd446ac3.jpg) [<img src="https://images.seebug.org/upload/201312/151605355789a27f5dd136eab0ecbdcf0e044d0e.jpg" alt="QQ截图20131215160021.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/151605355789a27f5dd136eab0ecbdcf0e044d0e.jpg) [<img src="https://images.seebug.org/upload/201312/15160609f46af5f16373027b86c61c87b86bcdc7.jpg" alt="QQ截图20131215160114.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/15160609f46af5f16373027b86c61c87b86bcdc7.jpg) 查询的 IP:36.40.79.103 来自:陕西省 电信 GeoIP: Xian, China China Telecom 查询的 IP:123.138.71.191 来自:陕西省西安市 联通 GeoIP: Xian, China China Unicom Shannxi province network 查询的 IP:123.245.145.94 来自:辽宁省 电信 GeoIP: Shenyang, China GuangZhouWanGuanGuoJiMaoYiFaZhanYouXianGongSi-SY-L userid部分 最少两个字符 理论上可以登录所有用户
