CMS Background Login Bypass
Practice Source: "Source: Source code Download"(database configuration information is incorrect, interesting)
Note: installation is required
1. Create a database
2, set the account password, connect the database
3.1 Normal login background, capture packet analysis data submission location "admin/login.php"
Lines 3rd, 4, 7: Direct access to the submitted data, no parameter filtering, can generate SQL injection, bypass login verification "There is JS authentication, can submit the package directly"
Note: If the system turns on GPC, you cannot bypass
such as: Adminname=admin ' #&adminpass=123123
1<?PHP2 require‘.. /config.php ';3 $adminname=$_post[' AdminName '];4 $adminpass=$_post[' AdminPass '];5 $adminpass. = "Axphp.com";6 $adminpass=MD5($adminpass);7 $adminsql= "SELECT * from Axphp_admin where adminname= '$adminname' and adminpass= '$adminpass‘";8 $adminery=mysql_query($adminsql,$config);9 $adminnum=mysql_num_rows($adminery);Ten if($adminnum= = "1") { One Setcookie("admin", "Y", Time() + 3600, '/'); A Setcookie("Admin_name",$adminname, Time() + 3600, '/'); - Header("location:axadmin.php"); -}Else { the Header("location:axphp.php"); - } -?>
3.2 To log in to the background, you need to verify (admin/admin_pass.php)
1 <? PHP 2 require ' check.php '; 3 require ‘.. /template/axadmin/head.php '; 4 require ‘.. /template/axadmin/banner.php '; 5 require ‘.. /template/axadmin/admin_pass.php '; 6 require ‘.. /template/axadmin/bottom.php '7 ?>
#加载了check. PHP for validation
1<?PHP2 error_reporting(0);3 isset($_cookie[' admin ']?$check=$_cookie[' admin ']:$check=NULL;4 isset($_cookie[' Admin_name '])?$admin _user=$_cookie[' Admin_name ']:$user=NULL;5 if($check==NULL){Header("Location:.. /index.php ");Exit;}6?>
Line 3rd, can be set by directly in the packet Cookie:admin bypass login authentication, login backstage; line 4th, no effect
"If the cookie is empty, jump/index.php interface"
PHP Code Audit 5-Combat Vulnerability mining-CMS background login Bypass