dedecms安全配置,添加登录管理认证码

dede用的人越来越多,也就引来各种关注,然后就各种漏洞、入侵,最近又爆出了一个堪称全版本都有的漏洞,的确,我googlehack了一下,基本上 5.5-5.7 的版本测试都可以,不过MD5是个硬伤,多余的话就不说了.

其实就是在后台登录界面添加个表单验证而已,管理认证,应该知道吧,动易、帝国的那种,本地字符验证,而不是数据库验证,所以SQL查询不了,入侵时碰到这种登录最纠结,最无奈的.

首先看看,我们要改的是这2个文件/(后台路径)/templets/login.htm 这是后台登录界面,/(后台路径)/login.php 登录消息的处理文件.

我们先来改login.htm文件,可能大家的模板不一样,不过自己改改吧,这是验证表单是否为空的代码,可以直接放在HTML里,也可以link到JS文件里,代码如下:

这是我的form框架和input提交,其实那个认证码的input 直接复制用户名的 input或密码的input就可以,改下name名就可以了,代码如下:

< form name = "form1" id = "form1" method = "post" action = "login.php" onsubmit = 'return CheckForm();' > < input type = "hidden" name = "gotopage" value = "<?php if(!empty($gotopage)) echo $gotopage;?>" /> < input type = "hidden" name = "dopost" value = "login" /> < ul > < li > < span > 用户名： </ span > < input type = "text" name = "userid" class = "input_out" maxlength = "20" style = "width:148px;" onfocus = "this.className='input_on';this.onmouseout=''" onblur = "this.className='input_off';this.onmouseout=function(){this.className='input_out'};" onmousemove = "this.className='input_move'" onmouseout = "this.className='input_out'" /> </ li > < li > < span > 密  码： </ span > < input type = "password" name = "pwd" class = "input_out" maxlength = "20" style = "width:148px;" onfocus = "this.className='input_on';this.onmouseout=''" onblur = "this.className='input_off';this.onmouseout=function(){this.className='input_out'};" onmousemove = "this.className='input_move'" onmouseout = "this.className='input_out'" /> </ li > < li > < span > 认证码： </ span > < input type = "password" name = "vacodes" class = "input_out" maxlength = "20" style = "width:148px;" onfocus = "this.className='input_on';this.onmouseout=''" onblur = "this.className='input_off';this.onmouseout=function(){this.className='input_out'};" onmousemove = "this.className='input_move'" onmouseout = "this.className='input_out'" /> </ li > < li > < span > 验证码： </ span > < input name = "validate" type = "text" id = "vdcode" style = "width:50px;text-transform:uppercase;" onfocus = "this.className='input_on';this.onmouseout=''" onblur = "this.className='input_off';this.onmouseout=function(){this.className='input_out'};" onmousemove = "this.className='input_move'" onmouseout = "this.className='input_out'" class = "input_out" /> < img id = "vdimgck" src = "include/vdimgck.php" alt = "看不清？点击更换" align = "absmiddle" style = "cursor:pointer" onclick = "this.src=this.src+'?'" /> </ li > < span >   </ span > < input name = 'Submit' type = 'image' style = 'width:60px; HEIGHT: 25px;' src = 'img/submit.gif' width = '60' height = '27' /> </ li > </ ul > </ form >

然后就是提交验证（/login.php)了,代码第50行就有注释 //登录检测,我们把验证内嵌在如下代码:

if (! empty empty ( $userid ) && ! empty empty ( $pwd )) { $res = $cuserLogin ->checkUser( $userid , $pwd ); //success if ( $res == 1) { //里，如下。 if (! empty empty ( $userid ) && ! empty empty ( $pwd )) { $res = $cuserLogin ->checkUser( $userid , $pwd ); //success if ( $res == 1) { //嵌套到这里面！ $uservacodes = $_POST [ 'vacodes' ]; //取出vacodes内容放入另一个变量 if ( $uservacodes != '认证码自定义' ) { //自行修改认证码自定义内容！ ResetVdValue(); ShowMsg( '认证码不正确!' , 'login.php' , 0, 1000); //不等于跑这里 die ; HdhCmsTest111cn.net } else { //等于就跑这里 $cuserLogin ->keepUser(); if (! empty empty ( $gotopage )) { ShowMsg( '成功登录，正在转向管理管理主页！' , $gotopage ); die ; } else { $uservacodes = $_POST [ 'vacodes' ]; ShowMsg( '成功登录，正在转向管理管理主页！' , 'index.php' ); die ; } }

解释 :先验证图片验证码,在验证用户名,在验证密码,最后验证认证码,以免认证码被爆破.

注意: if的块语句｛｝一定要对应,不然会出错,可以用Notepad++来修改.

也可以把认证码比较那里设置成变量,链接到包含的文件里,比如config文件,自己操作吧,个人博客我就不讲究互动性了,其他的网站源码也大同小异,找到登录界面和提交页面,修改之即可.

声明：本文来自网络，不代表【好得很程序员自学网】立场，转载请注明出处：http://haodehen.cn/did5721

更新时间：2022-09-13 阅读：58次

dedecms安全配置,添加登录管理认证码 - DeDecms