phpspy2010 绕过登陆破绽解析-PHP Tutorial-php.cn

phpspy2010 绕过登陆破绽解析

WBOY

Release： 2016-06-13 10:40:11

Original

1005 people have browsed it

phpspy2010 绕过登陆漏洞解析

??? phpspy2010可谓是webshell界很不错的一个工具，但是phpspy2010 和2011相继爆出了绕过认证漏洞，我简单分析下php2010的绕过漏洞，首先据说只有php2010的加密版才有这个漏洞，我大概看了下官方解释，估计也只有加密版才有这个问题，而且看上去应该是个失误。。。

????? 下面具体分析：附件是2010的源代码，由于是加密的eval执行base64解密，

把eval改成echo就可以输出源代码了。

代码核心部分如下

$admin = array();// 是否需要密码验证, true 为需要验证, false 为直接进入.下面选项则无效$admin['check'] = true;// 如果需要密码验证,请修改登陆密码$admin['pass']  = 'f4f068e71e0d87bf0ad51e6214ab84e9'; //angel								//如您对 cookie 作用范围有特殊要求, 或登录不正常, 请修改下面变量, 否则请保持默认// cookie 前缀$admin['cookiepre'] = '';// cookie 作用域$admin['cookiedomain'] = '';// cookie 作用路径$admin['cookiepath'] = '/';// cookie 有效期$admin['cookielife'] = 86400;

Copy after login

error_reporting(7);@set_magic_quotes_runtime(0);ob_start();$mtime = explode(' ', microtime());$starttime = $mtime[1] + $mtime[0];define('SA_ROOT', str_replace('\\', '/', dirname(__FILE__)).'/');define('IS_WIN', DIRECTORY_SEPARATOR == '\\');define('IS_COM', class_exists('COM') ? 1 : 0 );define('IS_GPC', get_magic_quotes_gpc());$dis_func = get_cfg_var('disable_functions');define('IS_PHPINFO', (!eregi("phpinfo",$dis_func)) ? 1 : 0 );@set_time_limit(0);foreach(array('_GET','_POST') as $_request) {	foreach($$_request as $_key => $_value) {		if ($_key{0} != '_') {			if (IS_GPC) {				$_value = s_array($_value);			}			$$_key = $_value;		}	}}//???ò???÷???????????à??!$writabledb && $writabledb = 'php,cgi,pl,asp,inc,js,html,htm,jsp';$charsetdb = array('','armscii8','ascii','big5','binary','cp1250','cp1251','cp1256','cp1257','cp850','cp852','cp866','cp932','dec8','eucjpms','euckr','gb2312','gbk','geostd8','greek','hebrew','hp8','keybcs2','koi8r','koi8u','latin1','latin2','latin5','latin7','macce','macroman','sjis','swe7','tis620','ucs2','ujis','utf8');if ($charset == 'utf8') {	header("content-Type: text/html; charset=utf-8");} elseif ($charset == 'big5') {	header("content-Type: text/html; charset=big5");} elseif ($charset == 'gbk') {	header("content-Type: text/html; charset=gbk");} elseif ($charset == 'latin1') {	header("content-Type: text/html; charset=iso-8859-2");} elseif ($charset == 'euckr') {	header("content-Type: text/html; charset=euc-kr");} elseif ($charset == 'eucjpms') {	header("content-Type: text/html; charset=euc-jp");}$self = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];$timestamp = time();/*===================== ?í·??é?¤ =====================*/if ($action == "logout") {	scookie('loginpass', '', -86400 * 365);	p('<meta http-equiv="refresh" content="1;URL='.$self.'">');	p('<a style="font:12px Verdana" href="'.$self.'">Success</a>');	exit;}if($admin['check']) {	if ($doing == 'login') {		if ($admin['pass'] == md5($password)) {			scookie('loginpass', md5($password));			p('<meta http-equiv="refresh" content="1;URL='.$self.'">');			p('<a style="font:12px Verdana" href="'.$self.'">Success</a>');			exit;		}	}	if ($_COOKIE['loginpass']) {		if ($_COOKIE['loginpass'] != $admin['pass']) {			loginpage();		}	} else {		loginpage();	}}

Copy after login

这个代码以拥有两个部分，第一个部分就是不加密的部分，这里需要用户填写登录密码，问题就发生在这里，密码存到了

admin['pass']中，而在第二部分解密出来的php代码中，才接受了用户传递过来的参数，这样用户可以自己构造md5加密后的admin['pass']，覆盖掉第一部分定义好的，以及password，从而通过

	if ($admin['pass'] == md5($password)) {			scookie('loginpass', md5($password));			p('<meta http-equiv="refresh" content="1;URL='.$self.'">');			p('<a style="font:12px Verdana" href="'.$self.'">Success</a>');			exit;		}

Copy after login

?如图就是修改后的传递参数

?注意admin['pass']是md5加密的。

2011据说也是类似的漏洞，但是我只找到了后来更新过的版本，这个版本中，定义pass的语句下移，放到了

foreach($_POST as $key => $value) {	if (IS_GPC) {		$value = s_array($value);	}	$$key = $value;}

Copy after login

的后面，从而修正了这个bug。

Php8, I'm coming too

Learn website layout in 30 minutes

Shangguan Oracle Beginner to Proficient Video Tutorial

Your first line of UNI-APP code

Flutter from scratch to app launch

Brother Lian New Linux Video Tutorial

AXURE 9 Video Tutorial (Suitable for Product Manager Interactive Product Design UI)

Zero Basic Proficiency PS Video Tutorial

16 day UI video tutorial to get you started

PS Techniques and Slicing Techniques Video Tutorial

Alibaba Cloud Environment Construction and Project Launch Video Tutorial

Overview of Computer Networks - Basic Knowledge that Programmers Must Master

Essential Tutorial for Programmers - HTTP Protocol Explanation

Websocket Video Tutorial

phpspy2010 绕过登陆破绽解析