牧星php网站信息管理系统session欺骗0day及修复
<DIV><FONT size=2>一个小程序在拿站时发现了这个程序,于是跨过去看了下源码。<BR> 悲剧就发生了!<BR> 作者:落叶<BR> 源码如下:(admin/login.php)<BR> 01 <?<BR> 02 session_start();<BR> 03 include "../include/databaseConfig.inc.php";<BR> 04 $admin = $_POST['admin'];<BR> 05 $pass = md5($_POST['pass']);<BR> 06 $codes = $_POST['codes'];<BR> 07 if($_GET['action'])...{ //这里开始错误!<BR> 08 /* 这里注释掉了我们就不管了。<BR> 09 if($result=$db->Execute("select * from x_admin where a_admin='".$admin."'"))...{<BR> 10 if($rs=mysql_fetch_object($result))...{<BR> 11 if($rs->a_pws==$pass)...{<BR> 12 if($codes!=$_SESSION['code'])...{<BR> 13 unset($_SESSION['code']);<BR> 14 echo "<script>alert('验证码错误!');location.href='Login.php';</script>";<BR> 15 }<BR> 16 else...{<BR> 17 $_SESSION['kgj_admin']=$admin;<BR> 18 $result = $DB->query("UPDATE x_admin SET ip = '$_SERVER' WHERE id ='$rs->id'");<BR> 19 header("location:index.php");<BR> 20 }<BR> 21 }<BR> 22 else<BR> 23 ...{<BR> 24 echo "<script>alert('密码错误!');location.href='Login.php';</script>";<BR> 25 }<BR> 26 }<BR> 27 else...{<BR> 28 echo "<script>alert('帐号错误!');location.href='Login.php';</script>";<BR> 29 }<BR> 30 }*/<BR> 31 $sql="select * from xx_admin where adminuser='$admin'";<BR> 32 $result=$db->Execute($sql);<BR> 33 //print_r ($result);<BR> 34 if($admin==$result->fields)...{<BR> 35 if($pass==$result->fields)...{<BR> 36 $_SESSION['kgj_admin']=$admin;<BR> 37 header("location:index.php");<BR> 38 }else...{<BR> 39 echo "<script>alert('密码错误')</script>";<BR> 40 }<BR> 41 }else...{<BR> 42 echo "<script>alert('帐号错误')</script>";<BR> 43 }<BR> 44 $_SESSION['kgj_admin']=$admin; //这里致命了!其他不解释了!<BR> 45 //header("location:index.php");<BR> 46 }<BR> 47 while(($authnum=rand()%10000)<1000);<BR> 48 ?><BR> 测试很简单随便输入帐号密码登录一边然后在直接访问后台管理页面index.php就OK了<BR> 不过也没测试的站点把。小程序只是给我们研究下的!</FONT></DIV>
页:
[1]