Home  >  Article  >  Backend Development  >  phpspy2010 绕过登陆破绽解析

phpspy2010 绕过登陆破绽解析

WBOY
WBOYOriginal
2016-06-13 10:40:111057browse

phpspy2010 绕过登陆漏洞解析

??? phpspy2010可谓是webshell界很不错的一个工具,但是phpspy2010 和2011相继爆出了绕过认证漏洞,我简单分析下php2010的绕过漏洞,首先据说只有php2010的加密版才有这个漏洞,我大概看了下官方解释,估计也只有加密版才有这个问题,而且看上去应该是个失误。。。

????? 下面具体分析:附件是2010的源代码,由于是加密的eval执行base64解密,

把eval改成echo就可以输出源代码了。

代码核心部分如下

$admin = array();// 是否需要密码验证, true 为需要验证, false 为直接进入.下面选项则无效$admin['check'] = true;// 如果需要密码验证,请修改登陆密码$admin['pass']  = 'f4f068e71e0d87bf0ad51e6214ab84e9'; //angel								//如您对 cookie 作用范围有特殊要求, 或登录不正常, 请修改下面变量, 否则请保持默认// cookie 前缀$admin['cookiepre'] = '';// cookie 作用域$admin['cookiedomain'] = '';// cookie 作用路径$admin['cookiepath'] = '/';// cookie 有效期$admin['cookielife'] = 86400;
error_reporting(7);@set_magic_quotes_runtime(0);ob_start();$mtime = explode(' ', microtime());$starttime = $mtime[1] + $mtime[0];define('SA_ROOT', str_replace('\\', '/', dirname(__FILE__)).'/');define('IS_WIN', DIRECTORY_SEPARATOR == '\\');define('IS_COM', class_exists('COM') ? 1 : 0 );define('IS_GPC', get_magic_quotes_gpc());$dis_func = get_cfg_var('disable_functions');define('IS_PHPINFO', (!eregi("phpinfo",$dis_func)) ? 1 : 0 );@set_time_limit(0);foreach(array('_GET','_POST') as $_request) {	foreach($$_request as $_key => $_value) {		if ($_key{0} != '_') {			if (IS_GPC) {				$_value = s_array($_value);			}			$$_key = $_value;		}	}}//???ò???÷???????????à??!$writabledb && $writabledb = 'php,cgi,pl,asp,inc,js,html,htm,jsp';$charsetdb = array('','armscii8','ascii','big5','binary','cp1250','cp1251','cp1256','cp1257','cp850','cp852','cp866','cp932','dec8','eucjpms','euckr','gb2312','gbk','geostd8','greek','hebrew','hp8','keybcs2','koi8r','koi8u','latin1','latin2','latin5','latin7','macce','macroman','sjis','swe7','tis620','ucs2','ujis','utf8');if ($charset == 'utf8') {	header("content-Type: text/html; charset=utf-8");} elseif ($charset == 'big5') {	header("content-Type: text/html; charset=big5");} elseif ($charset == 'gbk') {	header("content-Type: text/html; charset=gbk");} elseif ($charset == 'latin1') {	header("content-Type: text/html; charset=iso-8859-2");} elseif ($charset == 'euckr') {	header("content-Type: text/html; charset=euc-kr");} elseif ($charset == 'eucjpms') {	header("content-Type: text/html; charset=euc-jp");}$self = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];$timestamp = time();/*===================== ?í·??é?¤ =====================*/if ($action == "logout") {	scookie('loginpass', '', -86400 * 365);	p('<meta http-equiv="refresh" content="1;URL='.$self.'">');	p('<a style="font:12px Verdana" href="'.$self.'">Success</a>');	exit;}if($admin['check']) {	if ($doing == 'login') {		if ($admin['pass'] == md5($password)) {			scookie('loginpass', md5($password));			p('<meta http-equiv="refresh" content="1;URL='.$self.'">');			p('<a style="font:12px Verdana" href="'.$self.'">Success</a>');			exit;		}	}	if ($_COOKIE['loginpass']) {		if ($_COOKIE['loginpass'] != $admin['pass']) {			loginpage();		}	} else {		loginpage();	}}

?

?

这个代码以拥有两个部分,第一个部分就是不加密的部分,这里需要用户填写登录密码,问题就发生在这里,密码存到了

admin['pass']中,而在第二部分解密出来的php代码中,才接受了用户传递过来的参数,这样用户可以自己构造md5加密后的admin['pass'],覆盖掉第一部分定义好的,以及password,从而通过

?

	if ($admin['pass'] == md5($password)) {			scookie('loginpass', md5($password));			p('<meta http-equiv="refresh" content="1;URL='.$self.'">');			p('<a style="font:12px Verdana" href="'.$self.'">Success</a>');			exit;		}

?如图就是修改后的传递参数

?注意admin['pass']是md5加密的。

?

?

?

2011据说也是类似的漏洞,但是我只找到了后来更新过的版本,这个版本中,定义pass的语句下移,放到了


?

foreach($_POST as $key => $value) {	if (IS_GPC) {		$value = s_array($value);	}	$$key = $value;}

?

的后面,从而修正了这个bug。

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn