X5music 后台登陆绕过+后台getshell
=================================
一、漏洞简介
------------
二、漏洞影响
------------
三、复现过程
------------
### 登录绕过
后台登陆验证逻辑存在问题 在/admin/admin\_login.php中
if($action=="login") {
$CD_Name=SafeRequest("CD_AdminUserName", "post");
$CD_Pass=md5(SafeRequest("CD_AdminPassWord", "post"));
$CD_Code=SafeRequest("CD_CheckCode", "post");
$logtime=date('Y-m-d H:i:s');
global $db;
if(cd_webcodea=='yes') {
if($CD_Code!=cd_webcodeb) {
showmessage("登录失败,认证码错误!", "admin_login.php", 0);
}
}
$sql="Select CD_ID from " . tname('admin') . " where CD_AdminUserName='" . $CD_Name . "' and CD_AdminPassWord='" . $CD_Pass . "' and CD_IsLock=0";
$CD_ID=$db->Getone($sql); //从数据库中返回1
if($CD_ID) {
$db->query("update " . tname('admin') . " set CD_LoginNum =CD_LoginNum +1,CD_LoginIP='" . $_SERVER['SERVER_ADDR'] . "',CD_LastLogin ='" . $logtime . "' where CD_ID='" . $CD_ID . "'");
$row=$db->Getrow("Select * from " . tname('admin') . " where CD_ID='" . $CD_ID . "' ");
setcookie("CD_AdminID", $row['CD_ID']);
setcookie("CD_AdminUserName", $row['CD_AdminUserName']);
setcookie("CD_AdminPassWord", md5($row['CD_AdminPassWord']));
setcookie("CD_Permission", $row['CD_Permission']);
setcookie("CD_Login", md5($row['CD_ID'] . $row['CD_AdminUserName'] . md5($row['CD_AdminPassWord']) . $row['CD_Permission']));
//showmessage("成功�
