PHPSPY2010 Bypass Landing flaw analysis

PHPSPY2010 Bypass Login Vulnerability Resolution

??? PHPSPY2010 is Webshell is a very good tool, but phpspy2010 and 2011 have burst out to bypass the authentication vulnerability, I simply analyzed the php2010 Bypass vulnerability, first said that only php2010 encryption version has the vulnerability, I probably looked at the official explanation, it is estimated that only the encrypted version of the problem, and it seems to be a mistake ...

????? The following specific analysis: The attachment is the source code of 2010, because it is encrypted eval execution base64 decryption,

Change the eval to echo to output the source code.

The core parts of the code are

$admin = Array ();//Whether password Authentication is required, true to require authentication, and false for direct entry. The following option is invalid $admin[' check ' = true;//if password verification is required, please modify the login password $admin[' pass ']
  = ' f4f068e71e0d87bf0ad51e6214ab84e9 '; angel//If you have special requirements for the scope of cookies, or log in is not normal, please modify the following variables, otherwise please keep the default//cookie prefix $admin[' cookiepre ' = ';//Cookie Scope $admin[' Cookiedo Main '] = ';//cookie Action path $admin[' cookiepath ' = '/';//Cookie Expiration $admin[' cookielife '] = 86400;

Error_reporting (7); @set_magic_quotes_runtime (0); Ob_start (); $mtime = Explode (", microtime ()); $starttime = $mtime [1] + $mtime [0];d efine (' Sa_root ', str_replace (' \ \ ', '/', dirname (__file__)). ' /');d efine (' Is_win ', directory_separator = = ' \ \ ');d efine (' is_com ', class_exists (' COM ') 1:0);d efine (' IS_GPC ', get_ MAGIC_QUOTES_GPC ()); $dis _func = Get_cfg_var (' disable_functions ');d efine (' Is_phpinfo ',!eregi ("PHPINFO", $dis _func )) ? 1:0), @set_time_limit (0), foreach (Array (' _get ', ' _post ') as $_request) {foreach ($$_request as $_key = $_value) {if ($_ Key{0} = ' _ ') {if (IS_GPC) {$_value = S_array ($_value);} $$_key = $_value;}}} //??? Ò??? ÷??????????? À??! $writabledb && $writabledb = ' php,cgi,pl,asp,inc,js,html,htm,jsp '; $charsetdb = Array (', ' armscii8 ', ' ASCII ', ' Big5 ', ' binary ', ' cp1250 ', ' cp1251 ', ' cp1256 ', ' cp1257 ', ' cp850 ', ' cp852 ', ' cp866 ', ' cp932 ', ' dec8 ', ' Eucjpms ', ' Euckr ', ' gb2312 ', ' gbk ', ' geostd8 ', ' Greek ', ' Hebrew ', ' hp8 ', ' keybcs2 ', ' koi8r ', ' koi8u ', ' latin1 ', ' latin2 ', ' latin5 ', ' latin7 ', ' Macce ', ' Macroman ', ' Sjis ', ' swe7 ', ' tis620 ', ' ucs2 ', ' ujis ', ' UTF8 '), if ($charset = = ' UTF8 ') {header ("content-type:text/html; Charset=utf-8 ");} ElseIf ($charset = = ' Big5 ') {header ("content-type:text/html; Charset=big5 ");} ElseIf ($charset = = ' GBK ') {header ("content-type:text/html; CHARSET=GBK ");} ElseIf ($charset = = ' Latin1 ') {header ("content-type:text/html; Charset=iso-8859-2 ");} ElseIf ($charset = = ' Euckr ') {header ("content-type:text/html; Charset=euc-kr ");} ElseIf ($charset = = ' Eucjpms ') {header ("content-type:text/html; Charset=euc-jp ");} $self = $_server[' php_self ')? $_server[' php_self ': $_server[' script_name '; $timestamp = time ();/*=====================? í?? é?¤=====================*/if ($action = = "Logout") {Scookie (' loginpass ', ', -86400 * 365);p('
 
  
 ');p(' Success '); exit;} if ($admin [' Check ']) {if ($doing = = ' Login ') {if ($admin [' pass '] = = MD5 ($password)) {Scookie (' Loginpass ', MD5 ($password)) ;p('
 
  
 ');p(' Success '); exit;}} if ($_cookie[' Loginpass ') {if ($_cookie[' loginpass ']! = $admin [' Pass ']) {loginpage ();}} else {LoginPage ();}}

?

?

This code to have two parts, the first part is the non-encrypted part, where users need to fill in the login password, the problem occurs here, the password is stored in the

admin[' Pass '), and in the second breaking out of the PHP code, will accept the user passed over the parameters, so that users can construct their own MD5 encrypted admin[' pass ', covering the first part of the definition, as well as password, thus through

?

if ($admin [' pass '] = = MD5 ($password)) {Scookie (' Loginpass ', MD5 ($password));p('
 
   );p(' Success '); exit;}

? is the modified pass parameter

Note that admin[' pass ' is MD5 encrypted.

?

?

?

2011 is said to be a similar vulnerability, but I only found the later version, this version, the definition of the pass statement down, placed in the

?

foreach ($_post as $key = $value) {if (IS_GPC) {$value = S_array ($value);} $ $key = $value;}

?

To fix the bug.

