目录 1 . 漏洞描述 2 . 漏洞触发条件 3 . 漏洞影响范围 4 . 漏洞代码分析 5 . 防御方法 6 . 攻防思考 1. 漏洞描述 duxcms是一款采用PHP开发,基于HMVC规则开发适合中小企业、公司、新闻、个人等相关行业的网站内容管理,它的后台登录处存在sql注入,黑客可通
目录
<span>1</span><span>. 漏洞描述 </span><span>2</span><span>. 漏洞触发条件 </span><span>3</span><span>. 漏洞影响范围 </span><span>4</span><span>. 漏洞代码分析 </span><span>5</span><span>. 防御方法 </span><span>6</span>. 攻防思考
1. 漏洞描述
duxcms是一款采用PHP开发,基于HMVC规则开发适合中小企业、公司、新闻、个人等相关行业的网站内容管理,它的后台登录处存在sql注入,黑客可通过这个漏洞获取管理员密码、直接任意用户登录后台等攻击
Relevant Link:
立即学习“PHP免费学习笔记(深入)”;
http:<span>//</span><span>www.wooyun.org/bugs/wooyun-2010-063055</span>
2. 漏洞触发条件
<span>1</span><span>. 用户名 </span>-<span>1</span><span>"</span><span> union select 1,2,3,'c4ca4238a0b923820dcc509a6f75849b',5,6,7,8,9,10,11#</span> <span>/*</span><span> 这里的md5就是数字1的md5 </span><span>*/</span> <span>2</span>. 密码: <span>1</span>
3. 漏洞影响范围
4. 漏洞代码分析
/admin/module/loginMod.class.php
<span>//</span><span>登陆检测</span>
<span>public</span><span> function check()
{
</span><span>if</span>(empty($_POST[<span>'</span><span>user</span><span>'</span>]) || empty($_POST[<span>'</span><span>password</span><span>'</span><span>]))
{
$</span><span>this</span>->msg(<span>'</span><span>帐号信息输入错误!</span><span>'</span>,<span>0</span><span>);
}
</span><span>//</span><span>获取帐号信息</span>
<span>/*</span><span>
这里是漏洞关键,程序未对用户的输入进行正确的过滤、转义
</span><span>*/</span><span>
$info </span>= model(<span>'</span><span>login</span><span>'</span>)->user_info($_POST[<span>'</span><span>user</span><span>'</span><span>]);
</span><span>//</span><span>进行帐号验证</span>
<span>if</span><span>(empty($info))
{
$</span><span>this</span>->msg(<span>'</span><span>登录失败! 无此管理员帐号!</span><span>'</span>,<span>0</span><span>);
}
</span><span>if</span>($info[<span>'</span><span>password</span><span>'</span>] <> md5($_POST[<span>'</span><span>password</span><span>'</span><span>]))
{
$</span><span>this</span>->msg(<span>'</span><span>登录失败! 密码错误!</span><span>'</span>,<span>0</span><span>);
}
</span><span>if</span>($info[<span>'</span><span>status</span><span>'</span>]==<span>0</span><span>)
{
$</span><span>this</span>->msg(<span>'</span><span>登录失败! 帐号已禁用!</span><span>'</span>,<span>0</span><span>);
}
</span><span>//</span><span>更新帐号信息</span>
$data[<span>'</span><span>logintime</span><span>'</span>]=<span>time();
$data[</span><span>'</span><span>ip</span><span>'</span>]=<span>get_client_ip();
$data[</span><span>'</span><span>loginnum</span><span>'</span>]=intval($info[<span>'</span><span>loginnum</span><span>'</span>])+<span>1</span><span>;
model(</span><span>'</span><span>login</span><span>'</span>)->edit($data,intval($info[<span>'</span><span>id</span><span>'</span><span>]));
</span><span>//</span><span>更新登录记录</span>
model(<span>'</span><span>log</span><span>'</span>)-><span>login_log($info);
</span><span>//</span><span>设置登录信息</span>
$_SESSION[$<span>this</span>->config[<span>'</span><span>SPOT</span><span>'</span>].<span>'</span><span>_user</span><span>'</span>]=$info[<span>'</span><span>id</span><span>'</span><span>];
model(</span><span>'</span><span>user</span><span>'</span>)->current_user(<span>false</span><span>);
$</span><span>this</span>->msg(<span>'</span><span>登录成功!</span><span>'</span>,<span>1</span><span>);
}</span>
5. 防御方法
/admin/module/loginMod.class.php
<span>//</span><span>登陆检测</span>
<span>public</span><span> function check()
{
</span><span>if</span>(empty($_POST[<span>'</span><span>user</span><span>'</span>]) || empty($_POST[<span>'</span><span>password</span><span>'</span><span>]))
{
$</span><span>this</span>->msg(<span>'</span><span>帐号信息输入错误!</span><span>'</span>,<span>0</span><span>);
}
</span><span>//</span><span>sql注入防御</span>
$_POST[<span>'</span><span>user</span><span>'</span>] = addslashes($_POST[<span>'</span><span>user</span><span>'</span><span>]);
$_POST[</span><span>'</span><span>password</span><span>'</span>] = addslashes($_POST[<span>'</span><span>password</span><span>'</span><span>]);
</span><span>//</span><span>获取帐号信息</span>
<span>/*</span><span>
这里是漏洞关键,程序未对用户的输入进行正确的过滤、转义
</span><span>*/</span><span>
$info </span>= model(<span>'</span><span>login</span><span>'</span>)->user_info($_POST[<span>'</span><span>user</span><span>'</span><span>]);
</span><span>//</span><span>进行帐号验证</span>
<span>if</span><span>(empty($info))
{
$</span><span>this</span>->msg(<span>'</span><span>登录失败! 无此管理员帐号!</span><span>'</span>,<span>0</span><span>);
}
</span><span>if</span>($info[<span>'</span><span>password</span><span>'</span>] <> md5($_POST[<span>'</span><span>password</span><span>'</span><span>]))
{
$</span><span>this</span>->msg(<span>'</span><span>登录失败! 密码错误!</span><span>'</span>,<span>0</span><span>);
}
</span><span>if</span>($info[<span>'</span><span>status</span><span>'</span>]==<span>0</span><span>)
{
$</span><span>this</span>->msg(<span>'</span><span>登录失败! 帐号已禁用!</span><span>'</span>,<span>0</span><span>);
}
</span><span>//</span><span>更新帐号信息</span>
$data[<span>'</span><span>logintime</span><span>'</span>]=<span>time();
$data[</span><span>'</span><span>ip</span><span>'</span>]=<span>get_client_ip();
$data[</span><span>'</span><span>loginnum</span><span>'</span>]=intval($info[<span>'</span><span>loginnum</span><span>'</span>])+<span>1</span><span>;
model(</span><span>'</span><span>login</span><span>'</span>)->edit($data,intval($info[<span>'</span><span>id</span><span>'</span><span>]));
</span><span>//</span><span>更新登录记录</span>
model(<span>'</span><span>log</span><span>'</span>)-><span>login_log($info);
</span><span>//</span><span>设置登录信息</span>
$_SESSION[$<span>this</span>->config[<span>'</span><span>SPOT</span><span>'</span>].<span>'</span><span>_user</span><span>'</span>]=$info[<span>'</span><span>id</span><span>'</span><span>];
model(</span><span>'</span><span>user</span><span>'</span>)->current_user(<span>false</span><span>);
$</span><span>this</span>->msg(<span>'</span><span>登录成功!</span><span>'</span>,<span>1</span><span>);
}</span>
6. 攻防思考
Copyright (c) 2014 LittleHann All rights reserved
PHP怎么学习?PHP怎么入门?PHP在哪学?PHP怎么学才快?不用担心,这里为大家提供了PHP速学教程(入门到精通),有需要的小伙伴保存下载就能学习啦!
Copyright 2014-2025 https://www.php.cn/ All Rights Reserved | php.cn | 湘ICP备2023035733号
11059
收藏
取消收藏
