### 简要描述:
mcms1.3手机建站之星任意用户登录漏洞
### 详细说明:
文件 plugins/gov.user/index.php 90行
function m__register() 函数
```
$params = array();
if (isset($_SESSION['uid']) && isset($_SESSION['uname'])) helper :: redirect('index.php');
if (!isset($_POST['username']) || empty($_POST['username'])) die('{"code":"200","msg":"请填写用户名"}');
if (strlen($_POST['username']) < 6 || strlen($_POST['username']) > 20) die('{"code":"201","msg":"用户名必须6到20位之间"}');
if (!isset($_POST['password']) || empty($_POST['username'])) die('{"code":"202","msg":"请填写用户密码"}');
if (strlen($_POST['password']) < 6 || strlen($_POST['username']) > 20) die('{"code":"203","msg":"密码必须6到20位之间"}');
if ($_POST['password'] != $_POST['passconfirm']) die('{"code":"204","msg":"两次输入密码不一致"}');
//if (!preg_match("/\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $_POST['email'])) {
// die('{"code":"205","msg":"邮箱格式错误"}');
//}
// if (!preg_match("~^(1)\d{10}$~", $_POST['moblie'])) die('{"code":"206","msg":"手机号格式不正确"}');
$authcode = md5(strtoupper($_POST['authcode']));
if ($authcode != $_SESSION['reg']) {
die('{"code":"207","msg":"验证码错误"}');
}
$params['uname'] = $_POST['username'];
$params['upass'] = helper :: password_encrypt($_POST['password']);
$params['uqq'] = isset($_POST['uqq']) && !empty($_POST['uqq']) ? intval($_POST['uqq']) : '';
$params['uemail'] = isset($_POST['email']) && $_POST['email']!='' ? $_POST['email'] : '';
$params['uphone'] = isset($_POST['moblie']) && $_POST['moblie']!='' ? $_POST['moblie'] : '';
$params['reg_date'] = time();
$params['reg_ip'] = helper :: getip();
//用户注册绑定QQ账号
if(isset($_SESSION['qq']['openid']) && $_SESSION['qq']['openid']!='') {
$params['qqid'] = $_SESSION['qq']['openid'];
}
$res = $dbm -> single_insert(TB_PREFIX . "user_list", $params); //插入了数据库,之前在这个请求中没有验证用户名是否存在
```
### 漏洞证明:
首先注册一个会员 aaa123 密码 test123,
打开注册页面,填写如下
[<img src="https://images.seebug.org/upload/201312/292304014bd9a7969d5163e5be474c6c60681ceb.jpg" alt="QQ截图20131229230340.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/292304014bd9a7969d5163e5be474c6c60681ceb.jpg)
点击注册 burpsuit 截断
把用户名改成 aaa123
[<img src="https://images.seebug.org/upload/201312/29230515dfc316288c1cc4fc3337841b51a08e3d.jpg" alt="QQ截图20131229230500.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/29230515dfc316288c1cc4fc3337841b51a08e3d.jpg)
提交
显示的是aaa123的界面
[<img src="https://images.seebug.org/upload/201312/2923062583005ef08a18b74aaab867c761316a3f.jpg" alt="QQ截图20131229230550.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/2923062583005ef08a18b74aaab867c761316a3f.jpg)
成功登录了aaa123的账号
京公网安备 11010502034610号
暂无评论