如有乐享博客第三方登录模块漏洞
-
2020年2月14日更新:马甲一直以为是由于app key泄露导致的没恶意注册,换了新的APP KEY后 还是不行。看来确实是代码上处理有问题!
——————————————————
最近如有乐享,用户注册模块被恶意注册了5000多用户。
初步判断是利用微博三方登陆 渠道注册进来的。
目前还不知道是 微博三方登陆有问题?还是多梦主题三方登陆有漏洞。马甲后台查了一下,从7月份开始就有人陆续利用BUG注册
,最近貌似注册的最疯狂~ 可能漏洞被公开了临时解决方案:
1)关闭微博三方登陆
2)在Nginx修改一下配置,将微博登陆回调返回403location ~/?connect=weibo* { return 403; }3)清理现有垃圾数据。
查看从微博注册进来用户的IDselect DISTINCT user_id from wp_usermeta where meta_key ='dmeng_avatar' and meta_value='weibo'#新建临时表a 只有一个字段ID insert into a select DISTINCT user_id from wp_usermeta where meta_key ='dmeng_avatar' and meta_value='weibo' and user_id >26900user_id >26900 如有博客ID大于 26900 的都可能存在异常,自己根据数据去判断
#查询所有注册过平台但是没有登录过的账号
select ID from wp_users where id not in (select distinct user_id from wp_usermeta where meta_key='dmeng_latest_login')删除数据!(提前备份,免的出错!!!)
delete from wp_users where id in (SELECT id from a)
delete from wp_usermeta where user_id in (SELECT id from a)
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register LoginPopular Topics - 热门主题
-
04825
-
03253
-
03288
