Some design defects (weak verification) in Yisi ESPCMS can be logged on to any user account. Yisi ESPCMS cookie has design defects. I will check the ecisp_home_seccode ecisp_member_username ecisp_member_info parameter in the cookie.
Function member_cookieview ($ keyword = false) {$ retrunstr = array (); $ retrunstr ['username'] = $ this-> fun-> eccode ($ this-> fun-> accept ('ecisp _ member_username ', 'C '), 'decode', db_pscode); $ user_info = explode ('|', $ this-> fun-> eccode ($ this-> fun-> accept ('ecisp _ member_info ', 'C'), 'decode', db_pscode); list ($ retrunstr ['userid'], $ retrunstr ['Alias'], $ retrunstr ['integral'], $ retrunstr ['mci'], $ retrunstr ['em Ail '], $ retrunstr ['lastip'], $ retrunstr ['ipadd'], $ retrunstr ['useragent'], $ retrunstr ['adminclassurl']) = $ user_info; $ retrunstr ['userid'] = intval ($ retrunstr ['userid']); $ retrunstr ['integral'] = intval ($ retrunstr ['integral']); $ retrunstr ['mci'] = intval ($ retrunstr ['mci']); return! $ Keyword? $ Retrunstr: $ retrunstr [$ keyword];} function in_center () {if ($ this-> CON ['mem _ isucenter ']) {include_once admin_ROOT. 'Public/uc_client/client. php ';} parent: start_pagetemplate (); parent: member_purview (); $ lng = (admin_LNG = 'big5 ')? $ This-> CON ['is _ lancode']: admin_LNG; $ db_where = "userid = $ this-> ec_member_username_id AND username = '$ this-> ec_member_username '"; echo $ db_where; $ db_table1 = db_prefix. 'Member AS a'; $ db_table2 = db_prefix. 'Member _ value AS B '; $ db_ SQL = "SELECT * FROM $ db_table1 LEFT JOIN $ db_table2 ON. userid = B. userid WHERE. userid = $ this-> ec_member_username_id "; $ rsMember = $ this-> db-> fetch_first ($ db_ SQL ); $ RsMember ['userid'] = $ this-> ec_member_username_id; $ rsMember ['rankname'] = $ this-> get_member_purview ($ rsMember ['mkid'], 'rankname'); $ userid = intval ($ rsMember ['userid']); if (empty ($ userid) {exit ('user err! ');} $ Db_table = db_prefix. "order"; $ db_where = "WHERE userid = $ userid"; $ db_where2 = "WHERE userid = $ userid and ordertype = 1 "; $ db_where3 = "WHERE userid = $ userid and ordertype = 3"; $ this-> pagetemplate-> assign ('ordernum', $ this-> db_numrows ($ db_table, $ db_where); $ this-> pagetemplate-> assign ('ordernum2', $ this-> db_numrows ($ db_table, $ db_where2 )); $ this-> pagetemplate-> assign ('ordernum3', $ this-> db_numrows ($ db_table, $ db_where3); $ db_table = db_prefix. "bbs"; $ db_where = "WHERE userid = $ userid"; $ this-> pagetemplate-> assign ('messagenum', $ this-> db_numrows ($ db_table, $ db_where); $ templatesDIR = $ this-> get_templatesdir ('member'); $ templatefilename = $ lng. '/'. $ templatesDIR. '/member_center'; $ this-> pagetemplate-> assign ('out', 'center'); $ this-> pagetemplate-> assign ('mlink ', $ this-> mlink); $ this-> pagetemplate-> assign ('member', $ rsMember); $ this-> pagetemplate-> assign ('path ', 'member'); unset ($ rsMember, $ mlink, $ LANPACK, $ this-> lng); $ this-> pagetemplate-> display ($ templatefilename, 'center ', false, null, admin_LNG);} composition of ecisp_member_info: $ this-> fun-> setcookie ('ecisp _ member_info ', $ this-> fun-> eccode ("500 | $ rsMember [alias] | $ rsMember [integral] | $ rsMember [mcid] | $ rsMember [email] | $ rsMember [lastip] | $ ipadd | ". md5 ($ _ SERVER ['HTTP _ USER_AGENT ']). '| '. md5 (admin_ClassURL), 'encoding', db_pscode ));
It can be seen from the code that the user actually uses the userid, that is, the ecisp_member_info in the cookie actually plays a role. The userid part only occupies a few characters in the cookie ecisp_member_info string, and this part of the characters plays a role. function, the others do not matter. Is such a verification weak? Can we crack it? Let's take the official demonstration site for Demonstration:
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
