Discuz Forum auto-blasting tools principles of analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201562761
Type myhack58
Reporter 佚名
Modified 2015-05-23T00:00:00


Recently broke about the use of social work library blasting Discuz Forum user name and password of the tool, causing a lot of Forum user information leakage, the analysis works as follows. Here Discuz determines whether the access IP of main with the following logic: private function _get_client_ip() { $ip = $_SERVER[;REMOTE_ADDR;]; if (isset($_SERVER[;HTTP_CLIENT_IP;]) && preg_match(‘/^([0-9]{1,3}\.) {3}[0-9]{1,3}$/’, $_SERVER[;HTTP_CLIENT_IP;])) { $ip = $_SERVER[;HTTP_CLIENT_IP;]; } elseif(isset($_SERVER[;HTTP_X_FORWARDED_FOR;]) AND preg_match_all(‘#\d{1,3}\.\ d{1,3}\.\ d{1,3}\.\ d{1,3}#s’, $_SERVER[;HTTP_X_FORWARDED_FOR;], $matches)) { foreach ($matches[0] AS $xip) { if (! preg_match(‘#^(10/172\.16|1 9 2\.168)\.#’, $xip)) { $ip = $xip; break; } } } return $ip; } If the HTTP HEAD in the presence of the clientip is determined as clientip, if there XFF header, it is determined that for the XFF, and if they are not, then direct access to the$_SERVER[;REMOTE_ADDR;] it. In fact, this logic is flawed, if our own configured HTTP HEAD and on the inside added clientip, XFF field, you can easily bypass the DZ of riot force to guess the mechanism, the DZ will only seal off our fake clientip, XFF IP, and does not limit the real IP. 0×0 1 DZ Anti-riot force to break the firing mechanism Here I am in DZ X2. 5, for example, to track The user login logic, a login execution class_member. php under on_login (), where DZ will first determine the user login the number of failures is greater than 4, that is, its anti-bursting mechanism, here to perform logincheck()function, as shown ! Continue to talk to here can see this fetch_username will go pre_common_failedlogin this table to query the number of logon failures, and here is the$_G[‘clientip’] ! On$_G[‘clientip’]acquisition of the content is mentioned earlier that _get_client_ip function implementation, as shown ! ! Here fetch_username will go pre_common_failedlogin this table the query log the number of failures, as shown ! Continue to track behind the content, and then back to the logincheck code behind this$return here will determine the query record and the distance of the last failed login time is greater than 1 5 minutes, here return$return is 0, indicating that the failed login number is greater than 4 times, ! !

[1] [2] next