这个习科上已经发过了,我这里发一段跟习科不同的吧。
这是习科发布的方法,这里做个记录。
/admin/privilege.php
if(!empty($ec_salt))
{
/* 检查密码是否正确 */
$sql = "SELECT user_id, user_name, password, last_login, action_list, last_login,suppliers_id,ec_salt".
" FROM " . $ecs->table('admin_user') .
" WHERE user_name = '" . $_POST['username']. "' AND password = '" . md5(md5($_POST['password']).$ec_salt) . "'";
}
else
{
/* 检查密码是否正确 */
$sql = "SELECT user_id, user_name, password, last_login, action_list, last_login,suppliers_id,ec_salt".
" FROM " . $ecs->table('admin_user') .
" WHERE user_name = '" . $_POST['username']. "' AND password = '" . md5($_POST['password']) . "'";
}
…..省略
if (isset($_POST['remember']))
{
$time = gmtime() + 3600 * 24 * 365;
setcookie('ECSCP[admin_id]', $row['user_id'], $time);
setcookie('ECSCP[admin_pass]',md5($row['password'] .$_CFG['hash_code']), $time);
}
HashCode:
$hash_code = $db->getOne("SELECT value FROM " . $ecs->table('shop_config') . " WHERE code='hash_code'");
/admin/includes/init.php
/* 验证管理员身份 */
if ((!isset($_SESSION['admin_id']) || intval($_SESSION['admin_id']) <= 0) &&
$_REQUEST['act'] != 'login' && $_REQUEST['act'] != 'signin' &&
$_REQUEST['act'] != 'forget_pwd' && $_REQUEST['act'] != 'reset_pwd' && $_REQUEST['act'] != 'check_order')
{
/* session 不存在,检查cookie */
if (!empty($_COOKIE['ECSCP']['admin_id']) && !empty($_COOKIE['ECSCP']['admin_pass']))
{
// 找到了cookie, 验证cookie信息
$sql = 'SELECT user_id, user_name, password, action_list, last_login ' .
' FROM ' .$ecs->table('admin_user') .
" WHERE user_id = '" . intval($_COOKIE['ECSCP']['admin_id']) . "'";
下面是我自己找到的另一种方法:
setcookie($this->session_name, $this->session_id . $this->gen_session_key($this->session_id), 0, $this->session_cookie_path, $this->session_cookie_domain,$this->session_cookie_secure);
function gen_session_id()
{
$this->session_id = md5(uniqid(mt_rand(), true));
return $this->insert_session();
}
function gen_session_key($session_id)
{
static $ip = '';
if ($ip == '')
{
$ip = substr($this->_ip, 0, strrpos($this->_ip, '.'));
}
return sprintf('%08x', crc32(ROOT_PATH . $ip . $session_id));//这里是关键
}
function insert_session()
{
return $this->db->query('INSERT INTO ' . $this->session_table . " (sesskey, expiry, ip, data) VALUES ('" . $this->session_id . "', '". $this->_time ."', '". $this->_ip ."', 'a:0:{}')");//插入的随机数md5后的值
}
可以看到sessionid后还加上了gen_session_key($session_id)。
sprintf(‘%08x’, crc32(ROOT_PATH . $ip . $session_id));//这里是关键
这里的IP我有x-forwarded-for伪造,ROOT_PATH ecshop爆路径的漏洞还是很多的。
注入出sessionid为ba4e540d57452a517d50221a5dec781a
计算ECSCP_ID
成功登录