关于phpwind 5.01-5.3 0day的分析文章
- WBOYOriginal
- 2016-06-21 09:00:401058browse
今天要luoluo牛抓了下包,这个漏洞挺牛的 :)
passport_client.php 里变量没有初始化可以绕过那些判断:
if(!$passport_ifopen || $passport_type != 'client'){
exit("Passport closed(PHPWind)");
}//提交:passport_ifopen =1&passport_type=client绕过
if(md5($action.$userdb.$forward.$passport_key) != $verify){
exit('Illegal request(PHPWind)');
} //里面的变量都可以自定义,所以你可以sy一下绕过
parse_str(StrCode($userdb,'DECODE'),$userdb); //注意StrCode($userdb,'DECODE'),所以你要把你提交的变量$userdb,StrCode($userdb,'DECODE')编码一下
if($action=='login'){//提交action=login
if(!$userdb['time'] || !$userdb['username'] || !$userdb['password']){
exit("Lack of parameters(PHPWind)");
}//提交的 $userdb解码以后要有这些数据
if($timestamp-$userdb['time']>3600){
exit('Passport request expired(PHPWind)');
}//提交时间userdb['time'] 大一点
.....
$rt=$db->get_one("SELECT uid $sql FROM pw_members WHERE username='$userdb[username]'");
if($rt){ //如果有这个用户的话调用下面的语句修改密码等
$sql && $db->update("UPDATE pw_members SET $sql WHERE uid='$rt[uid]'");
$sql2 && $db->update("UPDATE pw_memberdata SET $sql2 WHERE uid='$rt[uid]'");
}else{//如果没有这个用户就会调用下面的增加一个
$db->update("REPLACE INTO pw_members($sql1,groupid,memberid,gender,regdate,signchange) VALUES($sql2,'-1','8','0','$timestamp','1')");
passport_client.php 里变量没有初始化可以绕过那些判断:
if(!$passport_ifopen || $passport_type != 'client'){
exit("Passport closed(PHPWind)");
}//提交:passport_ifopen =1&passport_type=client绕过
if(md5($action.$userdb.$forward.$passport_key) != $verify){
exit('Illegal request(PHPWind)');
} //里面的变量都可以自定义,所以你可以sy一下绕过
parse_str(StrCode($userdb,'DECODE'),$userdb); //注意StrCode($userdb,'DECODE'),所以你要把你提交的变量$userdb,StrCode($userdb,'DECODE')编码一下
if($action=='login'){//提交action=login
if(!$userdb['time'] || !$userdb['username'] || !$userdb['password']){
exit("Lack of parameters(PHPWind)");
}//提交的 $userdb解码以后要有这些数据
if($timestamp-$userdb['time']>3600){
exit('Passport request expired(PHPWind)');
}//提交时间userdb['time'] 大一点
.....
$rt=$db->get_one("SELECT uid $sql FROM pw_members WHERE username='$userdb[username]'");
if($rt){ //如果有这个用户的话调用下面的语句修改密码等
$sql && $db->update("UPDATE pw_members SET $sql WHERE uid='$rt[uid]'");
$sql2 && $db->update("UPDATE pw_memberdata SET $sql2 WHERE uid='$rt[uid]'");
}else{//如果没有这个用户就会调用下面的增加一个
$db->update("REPLACE INTO pw_members($sql1,groupid,memberid,gender,regdate,signchange) VALUES($sql2,'-1','8','0','$timestamp','1')");
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:PHP技巧实例:树形结构的算法Next article:基础知识:PHP连接mysql测试和配置