summary of common background bypass methods in php open source program

Posted by fierce at 2020-03-03


Recently, I have audited several open source PHP source programs and found that there is a problem of background program bypassing, and the ways of bypassing are different. Write a summary. The way of bypassing is divided into three levels: 1. Lack of verification code in the background; 2. Lack of rigorous verification code in the background; 3. Variable coverage vulnerability leads to the failure of background verification

Here are a few PHP source programs that I have audited.

Lack of verification in the background

For example, in the background of axublog 1.0.2, there is a function chkadcookie () to verify the administrator's login. However, there is no chkadcookie () in AD / art.php in the background, which results in unauthorized access.

axublog 1.0.2 chkadcookie() ad/art.php chkadcookie()

The principle of this vulnerability is also relatively simple. In general, the inexperienced developers have missed the verification function. At present, this vulnerability is relatively small.

Background verification code is not rigorous

This loophole is the most common one, and there are many strange situations.

Axublog background verification function bypass

Verification mode

The background verification function in axublog is chkadcookie(), and the code is as follows:

axublog chkadcookie() function chkadcookie() {    @$file = "../cache/txtchkad.txt";              @$fp = fopen($file, "r");                      @$txtchkad = fread($fp, 4096);                  $txtchkad2 = str_replace(@$_COOKIE["chkad"], '', $txtchkad);    if (@$_SESSION["chkad"] == '' && @$_COOKIE["chkad"] == '') {        header("Content-type:text/html; charset=utf-8");        echo '<div id=redmsg>请<a href="login.php">登录</a>。。。</div><script>tiao();</script>';        exit;    }    if ($txtchkad == $txtchkad2) {        header("Content-type:text/html; charset=utf-8");        echo '<div id=redmsg>请<a href="login.php">登录</a>。。。</div><script>tiao();</script>';        exit;    }}function loginpass($str) {    $txtchkad = $_SERVER['HTTP_USER_AGENT'] . '_' . $_SERVER['REMOTE_ADDR'] . '_' . $date;    $file = "../cache/txtchkad.txt";              if (file_exists($file)) {        $txt = file_get_contents($file);        $txt = $txtchkad . "\r\n" . $txt;    }    file_put_contents($file, $txt);}  

Analyzing the code found very interesting problems: 1. Txtchkad.txt file records the client's

txtchkad.txt $_SERVER['HTTP_USER_AGENT'] . '_' . $_SERVER['REMOTE_ADDR'] . '_' . $date

, only $date is unknown to us, while UA and remote_addr are controlled by the client. Two

$date $txtchkad2 = str_replace(@$_COOKIE["chkad"], '', $txtchkad);($txtchkad == $txtchkad2)

The validation logic of is that if the value in txtchkad.txt appears in cookie, it is considered login. There are obvious problems in such verification logic.

COOKIE txtchkad.txt

The problem is obvious. Now that we know the content of txtchkad.txt and that cookie is under our control, we can bypass it.

txtchkad.txt COOKIE

Bypass validation

Just set chkad in cookie to "to bypass the background login.

chkad _

Background verification function bypass of zzcms

Verification mode

The background verification code in zzcms is as follows:

zzcms if (isset($_SESSION["admin"]) && isset($_SESSION["pass"])) {    $sql = "select * from zzcms_admin where admin='" . $_SESSION["admin"] . "'";    $rs = query($sql) or showmsg('查寻管理员信息出错');    $ok = is_array($row = fetch_array($rs));    if ($ok) {        if ($_SESSION["pass"] != $row['pass']) {            showmsg('管理员密码不正确,你无权进入该页面', '/admin/login.php');        }    } else {        showmsg('管理员已不存在,你无权进入该页面', '/admin/login.php');    }} else {    session_write_close();    echo("<script>top.location.href = '/admin/login.php';</script>");}?>

It can be found that if admin and pass do not exist in session, they will jump to the login code. The jump code is

admin pass echo("<script>top.location.href = '/admin/login.php';</script>");

。 Jump through the JS in the foreground, but there is no immediate exit (), which results in that the following code is still executable, so this verification method is useless.


Bypass mode

The bypass method is very simple, just disable JS code in the browser segment.

Variable coverage vulnerability causes background verification failure

Background verification function bypass of beescms

Verification mode

The code of checking the login function is ﹣ login():

is_login() function is_login() {    if ($_SESSION['login_in'] == 1 && $_SESSION['admin']) {        if (time() - $_SESSION['login_time'] > 3600) {            login_out();        } else {            $_SESSION['login_time'] = time();            @session_regenerate_id();        }        return 1;    } else {        return 0;    }

Under normal circumstances, if the user cannot control the value in session, the above code is OK.

However, later analysis found that all the files will be introduced into the include / init.php file, including the code:

includes/init.php session_start();$_COOKIE = fl_value($_COOKIE);$_GET = fl_value($_GET);@extract($_POST);@extract($_GET);@extract($_COOKIE);function fl_value($str) {    if (empty($str)) {        return;    }    return preg_replace('/select|insert | update | and | in | on | left | joins | delete |\%|\=|\/\*|\*|\.\.\/|\.\/| union | from | where | group | into |load_file|outfile/i', '', $str);}

In the above code, we do not use the fl_value() function to filter $_post, but we use the extract() function, so we can bypass the verification by sending the post parameter to override the value in the session.

fl_value() extract()

Bypass mode

The bypass method is very simple. Visit a page and send a post request as follows:

index.php POST:_SESSION[login_in]=1&_SESSION[admin]=1&_SESSION[login_time]=99999999999

The session variable is created successfully, including $session [login] = 1, $u session [Admin] = 1, session [logintime] = 999999999. Then visit the administrator page, and you can log in successfully.


At the beginning of learning code audit, I found that these problems are very interesting, so I summed up. Of course, there are other types of back-end bypass methods, and I hope you can give me more advice.