本文由 发布,转载请注明出处,如有问题请联系我们! 发布时间: 2021-05-14【最新漏洞】Dedecms任意用户登录
加载中##前台任意用户户登录
global $dsql;if($kp?me==-1){$this->M_KeepTime = 3600 * 24 * 7;}else{$this->M_KeepTime = $kp?me;}$formcache = FALSE;$this->M_ID = $this->GetNum(GetCookie("DedeUserID"));$this->M_LoginTime = GetCookie("DedeLoginTime");$this->fields = array();$this->isAdmin = FALSE;if(empty($this->M_ID)){$this->ResetUser();1}else{$this->M_ID = intval($this->M_ID);if ($cache){$this->fields = GetCache($this->memberCache, $this->M_ID);if( empty($this->fields) ){$this->fields = $dsql->GetOne("Select * From `#@__member` wheremid='{$this->M_ID}' ");} else {$formcache = TRUE;}} else {$this->fields = $dsql->GetOne("Select * From `#@__member` wheremid='{$this->M_ID}' ");}if(is_array($this->fields)){#api{{if(defined('UC_API') && @include_once DEDEROOT.'/uc_client/client.php')2{if($data = uc_get_user($this->fields['userid'])){if(uc_check_avatar($data[0]) && !strstr($this->fields['face'],UC_API)){$this->fields['face'] = UC_API.'/avatar.php?uid='.$data[0].'&size=middle';$dsql->ExecuteNoneQuery("UPDATE `#@__member` SET`face`='".$this->fields['face']."' WHERE `mid`='{$this->M_ID}'");}}}#/aip}}//间隔⼀⼩时更新⼀次⽤户登录时间if(?me() - $this->M_LoginTime > 3600){$dsql->ExecuteNoneQuery("update `#@__member` setlogin?me='".?me()."',loginip='".GetIP()."' where mid='".$this->fields['mid']."';");PutCookie("DedeLoginTime",?me(),$this->M_KeepTime);}我们⾸先跟⼊GETCookie对userid的操作
func?on GetCookie($key){global $cfg_cookie_encode;if( !isset($_COOKIE[$key]) || !isset($_COOKIE[$key.'__ckMd5']) ){return '';}else{if($_COOKIE[$key.'__ckMd5']!=substr(md5($cfg_cookie_encode.$_COOKIE[$key]),0,16)){return '';}else{return $_COOKIE[$key];}}可以看⻅就是⼀个cookie获取的操作但是在中间还存在⼀次通过keyMD5后的⽐较防⽌伪造cookie的安全操作,我们接着看return出来后的getnumfunc?on GetNum($fnum){$fnum = preg_replace("/[^0-9\.]/", '', $fnum);return $fnum;}相当于声明类型只不过使⽤preg以正则的⽅式来限制
$this->M_ID = intval($this->M_ID);if ($cache){$this->fields = GetCache($this->memberCache, $this->M_ID);if( empty($this->fields) ){$this->fields = $dsql->GetOne("Select * From `#@__member` wheremid='{$this->M_ID}' ");} else {$formcache = TRUE;5}} else {$this->fields = $dsql->GetOne("Select * From `#@__member` wheremid='{$this->M_ID}' ");}接着通过获取的userid进⾏数据库查询当查询出内容⾮空的时候则进⾏下⾯的操作,这⾥dede只简单对⽤户id是否存在于数据库进⾏了⼀个简单的查询并未做其它的效验操作$this->M_LoginID = $this->fields['userid'];$this->M_MbType = $this->fields['mtype'];$this->M_Money = $this->fields['money'];$this->M_UserName = FormatUsername($this->fields['uname']);$this->M_Scores = $this->fields['scores'];$this->M_Face = $this->fields['face'];$this->M_Rank = $this->fields['rank'];$this->M_Spacesta = $this->fields['spacesta'];$sql = "Select ?tles From #@__scores where integral<={$this->fields['scores']} order by integral desc";$scrow = $dsql->GetOne($sql);$this->fields['honor'] = $scrow['?tles'];$this->M_Honor = $this->fields['honor'];6if($this->fields['ma?']==10) $this->isAdmin = TRUE;$this->M_UpTime = $this->fields['up?me'];$this->M_ExpTime = $this->fields['exp?me'];$this->M_JoinTime = MyDate('Y-m-d',$this->fields['join?me']);if($this->M_Rank>10 && $this->M_UpTime>0){$this->M_HasDay = $this->Judgemember();完后将userid查询出的⽤户信息赋值于对应的变量所以这⾥确定前台任意登录的隐患但是因为在cookie获取的过程中有⼀个通过key md5后的效验导致利⽤困难但是在$last_v?me = GetCookie('last_v?me');$last_vid = GetCookie('last_vid');if(empty($last_v?me)){$last_v?me = 0;}if($v?me - $last_v?me > 3600 || !preg_match('#,'.$uid.',#i', ','.$last_vid.',') ){if($last_vid!=''){$last_vids = explode(',',$last_vid);7$i = 0;$last_vid = $uid;foreach($last_vids as $lsid){if($i>10){break;}else if($lsid != $uid){$i++;$last_vid .= ','.$last_vid;}}}else{$last_vid = $uid;}通过getcokie获取last_vid但因为我们不知道key所以没办法伪造内容导致return返回空所以⽆法进⾏下⾯的操作但是在esle中发现会将uid的值赋值于last_idPutCookie(‘last_vid’, $last_vid, 3600*24, ‘/’);并且在下⾯直接就进⾏了putcookie,我们现在需要确认uid是否有做效验或类型声明的操作$uid=empty($uid)? "" : RemoveXSS($uid);if(empty($ac?on)) $ac?on = '';if(empty($aid)) $aid = '';可以看⻅uid并未进⾏什么操作只单纯对xss进⾏防护但是在下⾯有通过uid进⾏数据库查询但因为uid是uname标识所以办法直接伪造!
