Analysis of privilege spoofing vulnerability in Sablog-X2.0 background management

Not long ago, 80vul.com announced a vulnerability of sax2.0, and then 4ngel released a patch. However, some code for permission verification still has problems. Let's briefly talk about this vulnerability: Dcp. phpif (! $ Sax_uid |! $ Sax_pw |! $ Sax_logincount |! $ Sax_hash) {if this condition is not met, you can use the background permission verification.

Not long ago, 80vul.com announced a vulnerability of sax2.0, and then 4ngel released a patch. However, some code for permission verification still has problems. Let's briefly talk about this vulnerability: D

Cp.Php

 
 

  
  
If(! $ Sax_uId|! $ Sax_pw |! $ Sax_logiNcOunt |! $ Sax_hash ){
  
  
// As long as this condition is not met, you can pass the background permission verification.
  
  
Loginpage ();
  
  
}
  
  
...
  
  
If($ Sax_group = 1 ){
  
  
// To obtain administrator permissions, you must also ensure that the value of $ sax_group is 1.
  
  
...
 
 

Let's take a look at how these variables come from.

Common. inc. php

 
 

  
  
List ($ sax_uid, $ sax_pw, $ sax_logincount) = $ _ COOKIE [\ 'sax _ auth \ ']?ExPlode ("t", authcode ($ _ COOKIE [\ 'sax _ auth \ '], \ 'decode \')):Array(\'\',\'\',\'\');
  
  
// Authcode () is a simple call of base64_decode
  
  
$ Sax_hash = sax_aDdSlashes ($ _ COOKIE [\ 'sax _ hash \ ']);
  
  
// These variables are from $ _ COOKIE and can be controlled :)
  
  
// However, the subsequent code will pass ex under certain conditionsTrAct ($ _ EVO) to re-register these variables
  
  
 
  
  
$ Sax_uid = intval ($ sax_uid );
  
  
$ Sax_pw = sax_addslashes ($ sax_pw );
  
  
$ Sax_logincount = intval ($ sax_logincount );
  
  
$ Sax_group = 4;
  
  
// The default value is 4, and the value we need is 1.
  
  
$ _ EVO =Array();
  
  
// Here is the fix variable overwrite vulnerability :)
  
  
 
  
  
$ Seccode = $ sessionexists = 0;
  
  
$ Userfields = \ 'U. userid AS sax_uid, u. username AS sax_user, u. password AS sax_pw, u. groupid AS sax_group, u. logincount AS sax_logincount, u. email as sax_email, u. url as sax_url, u. lastpost, u. lastip, u. lastvisit, u. lastactivity \';
  
  
// The fields defined here include sax_user, sax_pw, sax_group, and sax_logincount, which are used for background permission verification.
  
  
If($ Sax_hash ){
  
  
If($ Sax_uid & $ sax_pw ){
  
  
// Process [1]
  
  
// Sax_group will be queried here, but if we want to set the value to 1 [that is to say, query the Administrator information], you must know the Administrator's sax_hash, sax_pw, sax_logincount, and other values.
  
  
$ Query = $ DB-> query ("SELECT s. hash, s. seccode, $ userfields
  
  
FROM {$ db_prefix} users u
  
  
Left join {$ db_prefix} sessions s ON (s. uid = u. userid)
  
  
WHERE s. hash = \ '$ sax_hash \' AND u. userid = \ '$ sax_uid \' AND CONCAT_WS (\'. \ ', s. ip1, s. ip2, s. ip3, s. ip4) = \ '$ onlineip \'
  
  
AND u. password = \ '$ sax_pw \' AND u. logincount = \ '$ sax_logincount \' AND s. auth_key = \ '$ sax_auth_key \'");
  
  
}ELsE{
  
  
$ Query = $ DB-> query ("SELECT hash, uid as sessionuid, groupid, seccode, lastactivity FROM {$ db_prefix} sessions WHERE hash = \ '$ sax_hash \' AND CONCAT_WS (\'. \ ', ip1, ip2, ip3, ip4) = \' $ onlineip \ 'limit 1 ");
  
  
// Process [2]
  
  
// If we know the Administrator's sax_hash and onlineip, we can set the following $ _ EVO [\ 'sessionuid \ '] value to the Administrator's id.
  
  
}
  
  
If($ _ EVO = $ DB-> fetch_array ($ query )){
  
  
$ Sessionexists = 1;
  
  
If