Espcms latest V6.4.15.08.25 arbitrary User Login

Espcms latest V6.4.15.08.25 arbitrary User Login

Definitely the latest version!

Version: V6.4.15.08.25 UTF8 official version
Updated on: 12:29:04 Software size: 7.67 MB

Updated on the 25 th

Appears at User Logon

/Interface/memebermain. php

function in_center() {if ($this->CON['mem_isucenter']) {include_once admin_ROOT . 'public/uc_client/client.php';}parent::start_pagetemplate();parent::member_purview();$lng = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG;$db_where = "userid=$this->ec_member_username_id AND username='$this->ec_member_username' ";$db_table1 = db_prefix . 'member AS a';$db_table2 = db_prefix . 'member_value AS b';$db_sql = "SELECT * FROM $db_table1 LEFT JOIN $db_table2 ON a.userid = b.userid  WHERE a.userid = $this->ec_member_username_id ";$rsMember = $this->db->fetch_first($db_sql);$rsMember['userid'] = $this->ec_member_username_id;$rsMember['rankname'] = $this->get_member_purview($rsMember['mcid'], 'rankname');$userid = intval($rsMember['userid']);if (empty($userid)) {exit('user err!');}

Espcms authenticates user information by using cookies to verify uid. Users can log on as long as they are forged.

Let's trace the uid processing method.

$db_where = "userid=$this->ec_member_username_id AND username='$this->ec_member_username' ";

At the same time, the uid and user name are verified to be included in the database query to check whether the same row exists.

We track the uid processing functions.

In/public/class_connector.php

tion member_purview($userrank = false, $url = null, $upurl = false) {$this->ec_member_username = $this->fun->eccode($this->fun->accept('ecisp_member_username', 'C'), 'DECODE', db_pscode);$user_info = explode('|', $this->fun->eccode($this->fun->accept('ecisp_member_info', 'C'), 'DECODE', db_pscode));list($ec_member_username_id, $this->ec_member_alias, $ec_member_integral, $ec_member_mcid, $this->ec_member_email, $this->ec_member_lastip, $this->ec_member_ipadd, $this->ec_member_useragent, $this->ec_member_adminclassurl) = $user_info;$this->ec_member_username_id = intval($ec_member_username_id);$this->ec_member_integral = intval($ec_member_integral);$this->ec_member_mcid = intval($ec_member_mcid);

The user name is controllable with the cookie value.

$this->ec_member_username = $this->fun->eccode($this->fun->accept('ecisp_member_username', 'C'), 'DECODE', db_pscode);

$this->ec_member_username_id = intval($ec_member_username_id);

However, the uid value is intval.

This intval helps us achieve arbitrary login.

First, we want to register a 4-digit system with any letters at the beginning. It cannot be a number at the end.

Then we log on
 

View the cookie and find the username value.
 

nRaNsMCyeu1Rjg2Z3Ms6sNbPYrrvtEhR0HduulhHBWo=

Then overwrite the info value with this value.

The value of this info is used to verify uid
 

After the last refresh, you can log on to the user uid 4.
 

The logon is successful.

------------------------------------

What is the principle? What is the intval effect?



Our username is 4 test, and then the cookie value is encrypted.

Place this value on the uid processing statement.


Yes

$userid=$this->ec_member_username_id=intval('4test')=4

Why do I log on to MySQL 4? Because php is a weak language, intval considers the 4test as 4.

In this way, the original uid is overwritten, and then you can log on to the user at will.

Appears at User Logon

/Interface/memebermain. php

function in_center() {if ($this->CON['mem_isucenter']) {include_once admin_ROOT . 'public/uc_client/client.php';}parent::start_pagetemplate();parent::member_purview();$lng = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG;$db_where = "userid=$this->ec_member_username_id AND username='$this->ec_member_username' ";$db_table1 = db_prefix . 'member AS a';$db_table2 = db_prefix . 'member_value AS b';$db_sql = "SELECT * FROM $db_table1 LEFT JOIN $db_table2 ON a.userid = b.userid  WHERE a.userid = $this->ec_member_username_id ";$rsMember = $this->db->fetch_first($db_sql);$rsMember['userid'] = $this->ec_member_username_id;$rsMember['rankname'] = $this->get_member_purview($rsMember['mcid'], 'rankname');$userid = intval($rsMember['userid']);if (empty($userid)) {exit('user err!');}

Espcms authenticates user information by using cookies to verify uid. Users can log on as long as they are forged.

Let's trace the uid processing method.

$db_where = "userid=$this->ec_member_username_id AND username='$this->ec_member_username' ";

At the same time, the uid and user name are verified to be included in the database query to check whether the same row exists.

We track the uid processing functions.

In/public/class_connector.php

tion member_purview($userrank = false, $url = null, $upurl = false) {$this->ec_member_username = $this->fun->eccode($this->fun->accept('ecisp_member_username', 'C'), 'DECODE', db_pscode);$user_info = explode('|', $this->fun->eccode($this->fun->accept('ecisp_member_info', 'C'), 'DECODE', db_pscode));list($ec_member_username_id, $this->ec_member_alias, $ec_member_integral, $ec_member_mcid, $this->ec_member_email, $this->ec_member_lastip, $this->ec_member_ipadd, $this->ec_member_useragent, $this->ec_member_adminclassurl) = $user_info;$this->ec_member_username_id = intval($ec_member_username_id);$this->ec_member_integral = intval($ec_member_integral);$this->ec_member_mcid = intval($ec_member_mcid);

The user name is controllable with the cookie value.

$this->ec_member_username = $this->fun->eccode($this->fun->accept('ecisp_member_username', 'C'), 'DECODE', db_pscode);

$this->ec_member_username_id = intval($ec_member_username_id);

However, the uid value is intval.

This intval helps us achieve arbitrary login.

First, we want to register a 4-digit system with any letters at the beginning. It cannot be a number at the end.

Then we log on
 

View the cookie and find the username value.

nRaNsMCyeu1Rjg2Z3Ms6sNbPYrrvtEhR0HduulhHBWo=

Then overwrite the info value with this value.

The value of this info is used to verify uid
 

After the last refresh, you can log on to the user uid 4.
 

The logon is successful.

------------------------------------

What is the principle? What is the intval effect?

Our username is 4 test, and then the cookie value is encrypted.

Place this value on the uid processing statement.

Yes

$userid=$this->ec_member_username_id=intval('4test')=4

Why do I log on to MySQL 4? Because php is a weak language, intval considers the 4test as 4.

In this way, the original uid is overwritten, and then you can log on to the user at will.

Solution:

Use session instead.