Espcms latest V6.4.15.08.25 arbitrary User Logon Vulnerability

Espcms latest V6.4.15.08.25 arbitrary User Logon Vulnerability

Appears at User Logon/interface/memebermain. php
Function in_center (){
If ($ this-> CON ['mem _ isucenter ']) {
Include_once admin_ROOT. 'public/uc_client/client. php ';
}
Parent: start_pagetemplate ();
Parent: member_purview ();
$ Lng = (admin_LNG = 'big5 ')? $ This-> CON ['is _ lancode']: admin_LNG;
$ Db_where = "userid = $ this-> ec_member_username_id AND username = '$ this-> ec_member_username '";
$ Db_table1 = db_prefix. 'Member AS ';
$ Db_table2 = db_prefix. 'Member _ value AS B ';
$ Db_ SQL = "SELECT * FROM $ db_table1 left join $ db_table2 ON a. userid = B. userid WHERE a. userid = $ this-> ec_member_username_id ";
$ RsMember = $ this-> db-> fetch_first ($ db_ SQL );
$ RsMember ['userid'] = $ this-> ec_member_username_id;
$ RsMember ['rankname'] = $ this-> get_member_purview ($ rsMember ['mci'], 'rankname ');
$ Userid = intval ($ rsMember ['userid']);
If (empty ($ userid )){
Exit ('user err! ');
}
Espcms verifies user information by using cookies to verify uid. As long as the uid can be forged, We can log on to the system to track the uid processing method.
$ Db_where = "userid = $ this-> ec_member_username_id AND username = '$ this-> ec_member_username '";
At the same time, the uid and user name are verified to be included in the database query to see if the uid processing function is in/public/class_connector.php.
Tion member_purview ($ userrank = false, $ url = null, $ upurl = false ){
$ This-> ec_member_username = $ this-> fun-> eccode ($ this-> fun-> accept ('ecisp _ member_username ', 'C'), 'decode ', db_pscode );
$ User_info = explode ('|', $ this-> fun-> eccode ($ this-> fun-> accept ('ecisp _ member_info ', 'C '), 'decode', db_pscode ));
List ($ region, $ this-> ec_member_alias, $ ec_member_integral, $ ec_member_mcid, $ this-> ec_member_email, $ this-> region, $ this-> ec_member_ipadd, $ this-> ec_member_useragent, $ this-> ec_member_adminclassurl) = $ user_info;
$ This-> ec_member_username_id = intval ($ ec_member_username_id );
$ This-> ec_member_integral = intval ($ ec_member_integral );
$ This-> ec_member_mcid = intval ($ ec_member_mcid );
The user name is controllable with the cookie value.
$ This-> ec_member_username = $ this-> fun-> eccode ($ this-> fun-> accept ('ecisp _ member_username ', 'C'), 'decode ', db_pscode );
$ This-> ec_member_username_id = intval ($ ec_member_username_id );
However, if the uid value is intval, this intval helps us achieve arbitrary login. First, we want to register a 4-character prefix and add any letters. The latter cannot be a number or something. Then we log on.

View the cookie and find the username value.
Nransmcyeu1jwg2z3ms6snbpyrrvtehr0hduulhhbwo =
Then overwrite the info value with this value. The info value is used to verify the uid.

After the last refresh, you can log on to the user uid 4.

We can see that the logon is successful. What is the principle of the logon? What is the effect of intval? Our username is 4 test, and then the cookie value is encrypted. Put this value on the uid processing statement.
$ Userid = $ this-> ec_member_username_id = intval ('4test') = 4
Why log on to 4? Because php is a weak language, intval will understand 4test as 4, overwrite the original uid, and then you can log on to the user at will.
Appears at User Logon/interface/memebermain. php
Function in_center (){
If ($ this-> CON ['mem _ isucenter ']) {
Include_once admin_ROOT. 'public/uc_client/client. php ';
}
Parent: start_pagetemplate ();
Parent: member_purview ();
$ Lng = (admin_LNG = 'big5 ')? $ This-> CON ['is _ lancode']: admin_LNG;
$ Db_where = "userid = $ this-> ec_member_username_id AND username = '$ this-> ec_member_username '";
$ Db_table1 = db_prefix. 'Member AS ';
$ Db_table2 = db_prefix. 'Member _ value AS B ';
$ Db_ SQL = "SELECT * FROM $ db_table1 left join $ db_table2 ON a. userid = B. userid WHERE a. userid = $ this-> ec_member_username_id ";
$ RsMember = $ this-> db-> fetch_first ($ db_ SQL );
$ RsMember ['userid'] = $ this-> ec_member_username_id;
$ RsMember ['rankname'] = $ this-> get_member_purview ($ rsMember ['mci'], 'rankname ');
$ Userid = intval ($ rsMember ['userid']);
If (empty ($ userid )){
Exit ('user err! ');
}
Espcms verifies user information by using cookies to verify uid. As long as the uid can be forged, We can log on to the system to track the uid processing method.
$ Db_where = "userid = $ this-> ec_member_username_id AND username = '$ this-> ec_member_username '";
At the same time, the uid and user name are verified to be included in the database query to see if the uid processing function is in/public/class_connector.php.
Tion member_purview ($ userrank = false, $ url = null, $ upurl = false ){
$ This-> ec_member_username = $ this-> fun-> eccode ($ this-> fun-> accept ('ecisp _ member_username ', 'C'), 'decode ', db_pscode );
$ User_info = explode ('|', $ this-> fun-> eccode ($ this-> fun-> accept ('ecisp _ member_info ', 'C '), 'decode', db_pscode ));
List ($ region, $ this-> ec_member_alias, $ ec_member_integral, $ ec_member_mcid, $ this-> ec_member_email, $ this-> region, $ this-> ec_member_ipadd, $ this-> ec_member_useragent, $ this-> ec_member_adminclassurl) = $ user_info;
$ This-> ec_member_username_id = intval ($ ec_member_username_id );
$ This-> ec_member_integral = intval ($ ec_member_integral );
$ This-> ec_member_mcid = intval ($ ec_member_mcid );
The user name is controllable with the cookie value.
$ This-> ec_member_username = $ this-> fun-> eccode ($ this-> fun-> accept ('ecisp _ member_username ', 'C'), 'decode ', db_pscode );
$ This-> ec_member_username_id = intval ($ ec_member_username_id );
However, if the uid value is intval, this intval helps us achieve arbitrary login. First, we want to register a 4-character prefix and add any letters. The latter cannot be a number or something. Then we log on.

View the cookie and find the username value.
Nransmcyeu1jwg2z3ms6snbpyrrvtehr0hduulhhbwo =
Then overwrite the info value with this value. The info value is used to verify the uid.

After the last refresh, you can log on to the user uid 4.

We can see that the logon is successful. What is the principle of the logon? What is the effect of intval? Our username is 4 test, and then the cookie value is encrypted. Put this value on the uid processing statement.
$ Userid = $ this-> ec_member_username_id = intval ('4test') = 4
Why log on to 4? Because php is a weak language, intval will understand 4test as 4, overwrite the original uid, and then you can log on to the user at will.
Solution:
Use session instead.