一个小程序在拿站是发现了这个程序,于是跨过去看了下源码。悲剧就发生了!admin/login.php 源码: <?php session_start(); include "../include/databaseConfig.inc.php"; $admin = $_POST['admin']; $pass = md5($_POST['pass']); $codes = $_POST['codes']; if($_GET['action']){ //这里开始错误! /* if($result=$db->Execute("select * from x_admin where a_admin='".$admin."'")){ if($rs=mysql_fetch_object($result)){ if($rs->a_pws==$pass){ if($codes!=$_SESSION['code']){ unset($_SESSION['code']); echo "<mce:script type="text/javascript"><!-- alert('验证码错误!');location.href='Login.php'; // --></mce:script>"; } else{ $_SESSION['kgj_admin']=$admin; $result = $DB->query("UPDATE x_admin SET ip = '$_SERVER[REMOTE_ADDR]' WHERE id ='$rs->id'"); header("location:index.php"); } } else { echo "<mce:script type="text/javascript"><!-- alert('密码错误!');location.href='Login.php'; // --></mce:script>"; } } else{ echo "<mce:script type="text/javascript"><!-- alert('帐号错误!');location.href='Login.php'; // --></mce:script>"; } }*/ //这里注释掉了我们不管他的。 $sql="select * from xx_admin where adminuser='$admin'"; $result=$db->Execute($sql); //print_r ($result); if($admin==$result->fields[adminuser]){ if($pass==$result->fields[adminpass]){ $_SESSION['kgj_admin']=$admin; header("location:index.php"); }else{ echo "<mce:script type="text/javascript"><!-- alert('密码错误') // --></mce:script>"; } }else{ echo "<mce:script type="text/javascript"><!-- alert('帐号错误') // --></mce:script>"; } $_SESSION['kgj_admin']=$admin; //这里致命了!不管密码是否正确只要是提交了数据那么这里就会赋予你session //header("location:index.php"); } while(($authnum=rand()%10000)<1000); ?> 测试很简单随便输入帐号密码登录一遍,然后在直接访问后台管理页面 index.php 就 OK 了。不过也没测试的站点吧,小程序只是给我们研究下的!