代码审计-KKCMS验证码逻辑漏洞

\kkcms\admin\cms_login.php登录页面判断验证码:

以及生成验证码:
\kkcms\system\verifycode.php:

<?php
session_start();
$image = imagecreate(50, 34);
$bcolor = imagecolorallocate($image, 0, 0, 0);
$fcolor = imagecolorallocate($image, 255, 255, 255);
$str = '0123456789';
$rand_str = '';
for ($i = 0; $i < 4; $i++){
	$k = mt_rand(1, strlen($str));
	$rand_str .= $str[$k - 1];
}
$_SESSION['verifycode'] = $rand_str;
imagefill($image, 0, 0, $bcolor);
imagestring($image, 7, 7, 10, $rand_str, $fcolor);
header('content-type:image/png');
imagepng($image);
?>

登录页面加载页面形式:

不加载js即可保持$_SESSION['verifycode']的值达到验证码重放漏洞: