CMS Live

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2102

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2435

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2451

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2456

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2461

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2467

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2479

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2496

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2497

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2498

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2499

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2517

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2518

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2519

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2520

Deprecated: Non-static method MagicWord::get() should not be called statically, assuming $this from incompatible context in /home/clients/newman_ftp0/domains/wiki.pws.ru/html/includes/Parser.php on line 2550
Материал из Newman's WiKi.

Версия 18:55, 14 мая 2009 WikiSysop (Обсуждение | вклад) ← К предыдущему изменению		Текущая версия WikiSysop (Обсуждение | вклад) (→Создание модулей (plugins))
Строка 17:		Строка 17:
	Анализ вот этого кусочка из файла '''include/auth/admin/default.php'''		Анализ вот этого кусочка из файла '''include/auth/admin/default.php'''
	<pre>		<pre>
-	if ((isset($_COOKIE["adminname"])) && (strlen($_COOKIE["adminname"]) >= $this->options["min_user_login_length"]) && (isset($_COOKIE["admin_identify"])) && (strlen($_COOKIE["admin_identify"]) >= $this->options["min_user_password_length"])) {	+	if ((isset($_COOKIE["adminname"])) && (strlen($_COOKIE["adminname"]) >= $this->options["min_user_login_length"])
		+	&& (isset($_COOKIE["admin_identify"]))
		+	&& (strlen($_COOKIE["admin_identify"]) >= $this->options["min_user_password_length"])) {
	$adminname = $_COOKIE["adminname"];		$adminname = $_COOKIE["adminname"];
	$password_hash = $_COOKIE["admin_identify"];		$password_hash = $_COOKIE["admin_identify"];
		+	$db->init_query("SELECT id FROM {prefix}users WHERE name=[name] AND passwd=[password]");
		+	$db->add_param("name", $adminname, "string");
		+	$db->add_param("password", $password_hash, "string");
	</pre>		</pre>
	подсказывает нам что для удачного входа нужен только доступ к базе данных. Создать же нужные куки не проблема. Firefox с установленым плагинов webdeveloper позволяет сделать это за несколько минут.		подсказывает нам что для удачного входа нужен только доступ к базе данных. Создать же нужные куки не проблема. Firefox с установленым плагинов webdeveloper позволяет сделать это за несколько минут.
	== Создание модулей (plugins) ==		== Создание модулей (plugins) ==
		+
		+	[[Категория:Опыт]]

---

Текущая версия

CMS Live - самописная система управления контентом.

Содержание 1 Вход в админ панель без пароля 1.1 Хак исходников 1.2 Через cookie 2 Создание модулей (plugins)

Вход в админ панель без пароля

Хак исходников

Для входа в админ панель нужно знать любой логин и иметь доступ к исходным файлам системы. Логин можно узнать из базы, если к ней есть доступ, либо подобрать. Итак, логин мы знаем. Находим файл include/auth/admin/default.php и находим в нем проверку пароля

if (md5($_POST_GET["password"] . md5($user_regdate . $_POST_GET["password"])) == $user_password) {
$user = new User($user_id);

и делаем так что бы условие всегда было истинно. Например вот так:

if (true || md5($_POST_GET["password"] . md5($user_regdate . $_POST_GET["password"])) == $user_password) {

Теперь вводим существующий логин и любой набор символов. Удачно заходим в систему, меняем пароль. Теперь можно убирать наш хак и заходить под логином и известным нам паролем.

Через cookie

Анализ вот этого кусочка из файла include/auth/admin/default.php

if ((isset($_COOKIE["adminname"])) && (strlen($_COOKIE["adminname"]) >= $this->options["min_user_login_length"]) 
&& (isset($_COOKIE["admin_identify"])) 
&& (strlen($_COOKIE["admin_identify"]) >= $this->options["min_user_password_length"])) {
	$adminname = $_COOKIE["adminname"];
	$password_hash = $_COOKIE["admin_identify"];
	$db->init_query("SELECT id FROM {prefix}users WHERE name=[name] AND passwd=[password]");
	$db->add_param("name", $adminname, "string");
	$db->add_param("password", $password_hash, "string");

подсказывает нам что для удачного входа нужен только доступ к базе данных. Создать же нужные куки не проблема. Firefox с установленым плагинов webdeveloper позволяет сделать это за несколько минут.

Создание модулей (plugins)