Dedecms任意用户登录

##前台任意用户户登录

global $dsql;
if($kp?me==-1){
$this->M_KeepTime = 3600 * 24 * 7;
}else{
$this->M_KeepTime = $kp?me;
}
$formcache = FALSE;
$this->M_ID = $this->GetNum(GetCookie("DedeUserID"));
$this->M_LoginTime = GetCookie("DedeLoginTime");
$this->fields = array();
$this->isAdmin = FALSE;
if(empty($this->M_ID))
{
$this->ResetUser();
1
}else{
$this->M_ID = intval($this->M_ID);
if ($cache)
{
$this->fields = GetCache($this->memberCache, $this->M_ID);
if( empty($this->fields) )
{
$this->fields = $dsql->GetOne("Select * From `#@__member` where
mid='{$this->M_ID}' ");
} else {
$formcache = TRUE;
}
} else {
$this->fields = $dsql->GetOne("Select * From `#@__member` where
mid='{$this->M_ID}' ");
}
if(is_array($this->fields)){
#api{{
if(defined('UC_API') && @include_once DEDEROOT.'/uc_client/
client.php')
2
{
if($data = uc_get_user($this->fields['userid']))
{
if(uc_check_avatar($data[0]) && !strstr($this->fields['face'],UC_API))
{
$this->fields['face'] = UC_API.'/avatar.php?uid='.
$data[0].'&size=middle';
$dsql->ExecuteNoneQuery("UPDATE `#@__member` SET
`face`='".$this->fields['face']."' WHERE `mid`='{$this->M_ID}'");
}
}
}
#/aip}}
//间隔⼀⼩时更新⼀次⽤户登录时间
if(?me() - $this->M_LoginTime > 3600)
{
$dsql->ExecuteNoneQuery("update `#@__member` set
login?me='".?me()."',loginip='".GetIP()."' where mid='".$this->fields['mid']."';");
PutCookie("DedeLoginTime",?me(),$this->M_KeepTime);
}

我们⾸先跟⼊GETCookie对userid的操作

func?on GetCookie($key)
{
global $cfg_cookie_encode;
if( !isset($_COOKIE[$key]) || !isset($_COOKIE[$key.'__ckMd5']) )
{
return '';
}
else
{
if($_COOKIE[$key.'__ckMd5']!=substr(md5($cfg_cookie_encode.
$_COOKIE[$key]),0,16))
{
return '';
}
else
{
return $_COOKIE[$key];
}
}

可以看⻅就是⼀个cookie获取的操作但是在中间还存在⼀次通过keyMD5后的⽐较
防⽌伪造cookie的安全操作,我们接着看return出来后的getnum

func?on GetNum($fnum){
$fnum = preg_replace("/[^0-9\.]/", '', $fnum);
return $fnum;
}

相当于声明类型只不过使⽤preg以正则的⽅式来限制

$this->M_ID = intval($this->M_ID);
if ($cache)
{
$this->fields = GetCache($this->memberCache, $this->M_ID);
if( empty($this->fields) )
{
$this->fields = $dsql->GetOne("Select * From `#@__member` where
mid='{$this->M_ID}' ");
} else {
$formcache = TRUE;
5
}
} else {
$this->fields = $dsql->GetOne("Select * From `#@__member` where
mid='{$this->M_ID}' ");
}

接着通过获取的userid进⾏数据库查询当查询出内容⾮空的时候则进⾏下⾯的操
作,这⾥dede只简单对⽤户id是否存在于数据库进⾏了⼀个简单的查询并未做其它
的效验操作

$this->M_LoginID = $this->fields['userid'];
$this->M_MbType = $this->fields['mtype'];
$this->M_Money = $this->fields['money'];
$this->M_UserName = FormatUsername($this->fields['uname']);
$this->M_Scores = $this->fields['scores'];
$this->M_Face = $this->fields['face'];
$this->M_Rank = $this->fields['rank'];
$this->M_Spacesta = $this->fields['spacesta'];
$sql = "Select ?tles From #@__scores where integral<={$this-
>fields['scores']} order by integral desc";
$scrow = $dsql->GetOne($sql);
$this->fields['honor'] = $scrow['?tles'];
$this->M_Honor = $this->fields['honor'];
6
if($this->fields['ma?']==10) $this->isAdmin = TRUE;
$this->M_UpTime = $this->fields['up?me'];
$this->M_ExpTime = $this->fields['exp?me'];
$this->M_JoinTime = MyDate('Y-m-d',$this->fields['join?me']);
if($this->M_Rank>10 && $this->M_UpTime>0){
$this->M_HasDay = $this->Judgemember();

完后将userid查询出的⽤户信息赋值于对应的变量所以这⾥确定前台任意登录的隐
患但是因为在cookie获取的过程中有⼀个通过key md5后的效验导致利⽤困难但是

$last_v?me = GetCookie('last_v?me');
$last_vid = GetCookie('last_vid');
if(empty($last_v?me))
{
$last_v?me = 0;
}
if($v?me - $last_v?me > 3600 || !preg_match('#,'.$uid.',#i', ','.$last_vid.',') )
{
if($last_vid!='')
{
$last_vids = explode(',',$last_vid);
7
$i = 0;
$last_vid = $uid;
foreach($last_vids as $lsid)
{
if($i>10)
{
break;
}
else if($lsid != $uid)
{
$i++;
$last_vid .= ','.$last_vid;
}
}
}
else
{
$last_vid = $uid;
}

通过getcokie获取last_vid但因为我们不知道key所以没办法伪造内容导致return返
回空所以⽆法进⾏下⾯的操作但是在esle中发现会将uid的值赋值于last_id

PutCookie(‘last_vid’, $last_vid, 3600*24, ‘/’);
并且在下⾯直接就进⾏了putcookie,我们现在需要确认uid是否有做效验或类型声
明的操作

$uid=empty($uid)? "" : RemoveXSS($uid);
if(empty($ac?on)) $ac?on = '';
if(empty($aid)) $aid = '';

可以看⻅uid并未进⾏什么操作只单纯对xss进⾏防护但是在下⾯有通过uid进⾏数
据库查询但因为uid是uname标识所以办法直接伪造

本文固定链接: https://www.unhonker.com/bug/2012.html | 90' s Blog|关注信息安全

该日志由 unhonker 于2018年01月23日发表在 漏洞公布 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: Dedecms任意用户登录 | 90' s Blog|关注信息安全
关键字:

Dedecms任意用户登录:等您坐沙发呢!

发表评论

您必须 [ 登录 ] 才能发表留言!