网上出现的都是阿西网站推广系统的SQL漏洞,fans发现的cookie欺骗的漏洞貌似没人发过!

先看axphp.php的源码
------------------------------------------------
<tr>
<td>账号:</td>
<td><form method="post" action="login.php"> // 提交处理文件login.php
<input tabindex="1" type="text" name="adminname" class="texta" onkeyup="value=value.replace(/[^\w\.\/]/ig,'')" /></td>
<td rowspan="2"><input type="submit" value="登录" class="submit" /></td>
</tr>
<tr>
<td>密码:</td>
<td><input tabindex="2" type="password" name="adminpass" class="textb" /></td></form>

login.php 代码
-------------------------------------------------
require '../config.php';
$adminname = $_POST['adminname'];
$adminpass = $_POST['adminpass'];
$adminpass .= "Axphp.com";
$adminpass = md5($adminpass);
$adminsql = "select * from axphp_admin where adminname='$adminname' and adminpass='$adminpass'";
$adminery = mysql_query($adminsql, $config);
$adminnum = mysql_num_rows($adminery);
if ($adminnum == "1") { //如果用户和密码正确设置cookie
setcookie("admin", "Y", time() + 3600, '/'); //设置cookie值 admin=‘Y’
setcookie("admin_name", $adminname, time() + 3600, '/'); //设置cookie值 admin_name的值
header("location:axadmin.php"); //如果用户和密码正确就跳到后台管理页面
} else {
header("location:axphp.php");
}

再去看下axadmin.php的代码
-----------------------------------------------
<?php
require 'check.php'; //cookie验证文件 我们跟下这个。
require '../template/axadmin/head.php';
require '../template/axadmin/banner.php';
require '../template/axadmin/main.php';
require '../template/axadmin/bottom.php'
?>
check.php代码
-------------------------------------
<?php
error_reporting(0);
isset($_COOKIE['admin'])?$check=$_COOKIE['admin']:$check=null; 
//我们只要不让$_COOKIE['admin']这个值不为空就可以
isset($_COOKIE['admin_name'])?$admin_user=$_COOKIE['admin_name']:$user=null;
//这里也是一样不让他不为空。
if($check==null){header("Location:../index.php");exit;}
?>

转载文章请注明,转载自:小马's Blog https://www.i0day.com

本文链接: https://www.i0day.com/161.html