Analyze the method for winning the 114LA URL navigation

Author: Mind

This analysis is not a vulnerability or vulnerability.
There are not many program files that can be exchanged with users by submitting message books and URLs.
I have read the two in detail several times. It seems that it is impossible to use this dish.
However, the following analysis may be used.
Now only the background is available.
Admin/index. php must pass through this before using the file
So start from here
Index. php
<?
Require '../init. php ';
If (empty ($ _ GET [c]) | ($ _ GET [c] = 'login' and (empty ($ _ GET [a]) | $ _ GET [a] = 'login') | $ _ GET [c] = 'securimage ')
// It seems that only login and securimage can be run. One is to log on and the other is a verification code.
{}
Else
{
Mod_auth: instance (); // view permission Detection
Session_write_close ();
}
Load_controller ();
?>
View the file mod_auth
$ Auth = mod_login: instance ();
If (! $ Auth-> is_login ())
{
Header ("location:./index. php? C = login ");
}
// After testing, the script method cannot be used to bypass it. Because there are other places for verification, I thought it was okay. Later I found that the COOKIES have not been cleared.
! $ Auth is what the instance turns over. It doesn't have to be looked.
Check whether is_login is used.
Public function is_login ()
{
$ Cookie = array_var ($ _ COOKIE, AUTH_KEY. '_ admin_auth ');
// Obtain the COOKIE header. The AUTH_KEY is 114la.
If (isset ($ cookie) and! Empty ($ cookie ))
// Determine whether it is null .....
{
$ Cookie_data = explode (':', base64_decode ($ cookie ));
// Decrypt this part and use it as an array; Separate
If (count ($ cookie_data) = 3)
// If there are three groups of data
{
$ Current_cookie_auth = $ cookie_data [1];
If ($ current_cookie_auth = $ this-> ())
// Get_user_agent is
// Return md5 (AUTH_KEY. '_'. $ _ SERVER [HTTP_USER_AGENT]);
// AUTH_KEY is 114la, add a _, add a browser version, and then MD5 encryption. You can structure it yourself.
{
$ Current_cookie_username = $ cookie_data [0];
$ Current_cookie_password = $ cookie_data [2];
// Do you see this? The account password is stored in COOKIES.
If (self: verify_login_in ($ cookie_data [0], $ cookie_data [2])
// The following code is used to grant administrator permissions.
// Below is the verify_login_in detection code
$ Password_md5 = md5 ($ password );
$ Select = "select * from ylmf_admin_user where
'Name' = '$ username' and 'Password' =' $ password_md5 ′";
If (app_db: query ($ select ))
// The above is the automatic login code
Then we can see how 114la_admin_auth is encrypted.

View logon Verification Code
If (self: verify_login_in ($ username, $ password ))
// $ Username, $ password is the full-universe login method submitted by POST.
{
$ Auth_key = self: get_user_agent ();
// The above parsed // get_user_agent is
// Return md5 (AUTH_KEY. '_'. $ _ SERVER [HTTP_USER_AGENT]);
// AUTH_KEY is 114la not randomly generated
$ Auth_password = $ password;
$ Auth_username = $ username;
// The above two do not need to be parsed
Self: update_login ($ username );
// Record logon records
$ Cookie_value = base64_encode ($ auth_username. ':'. $ auth_key. ':'. $ auth_password );
// Key... Account + 114la + password .....
$ Cookie_expire = time () + 3600; // 20 minutes
// This is useless.
$ Cook_pre = AUTH_KEY. '_ admin_auth ';
// Cookie prefix
$ _ COOKIE [$ cook_pre] = $ cookie_value;
// Ignore it here
Setcookie (AUTH_KEY. '_ admin_auth', $ cookie_value, $ cookie_expire, PATH_COOKIE );
// Write COOKIE
Return true;
}

It seems that the decryption method is very simple: explode (':', base64_decode ($ cookie ));
In this way, both the Administrator's plaintext account and password are obtained.

How can I obtain administrator COOKIES? The website submission function!
Add a section on the submitted homepage to get COOKIES and record the code in the file. It is not very simple here (Note: Cross-origin retrieval is not supported !)
Because the administrator must log on to the background to view and submit the website, only the administrator must view your website and open the COOKIES with ll4la_admin_auth.
99% of people will review the website and check whether the website passes without reading it .... It's an idiot's ancestor.

Note: We didn't use XSS to steal COOKIES because this program has not found the XSS vulnerability for the time being, because we can only use message books and Submit websites for you.
Instead, the Administrator is guided to open your PHP website to obtain the required COOKIES.

Obtaining administrator COOKIES 0-day is social engineering. Because the administrator who submits the website for indexing must have logged on (with conditions) to check whether your website is worth recording.
The exploitation method is obvious, which requires targeted targeting!

PS: how does your website obtain COOKIES of the target website? This method is a lot of cross-domain, so it is difficult to mount a Trojan? Phishing can be used? When the cookie file is successfully stolen.

---- Admin supplement ---

C:> nc www.114la.com 80C:> nc www.114la.com 80
GET/url. php? N = % 0d % 0a % 20 <script> alert (/xxxx/) </script> HTTP/1.1
Cookie: PHPSESSID = 72d4f5acfea3dca011a03d7a2aabb9c5; xxadboo =; layout = 1; mailid = 1
0; cnzz_a30002711 = 0; sin30002711 = javascript % 3AYP8DcqS0CXjo5VL2% 28% 29% 3C % 3E; rtim
E30002711 = 0; ltime30002711 = 1295677010546; cnzz_eid30002711 = 6762761-1295677143-ja
Vas%% 3AYP8DcqS0CXjo5VL2% 28% 29% 3C % 3E
Host: www.114la.com
Connection: Keep-alive
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept :*/*

HTTP/1.0 200 OK
Date: Sat, 22 Jan 2011 10:23:11 GMT
Server: Apache
Content-Disposition: attachment; filename ="
<Script> alert (/xxxx/) </script>"
Cache-Control: max-age = 259200
Expires: Tue, 25 Jan 2011 10:23:11 GMT
Content-Length: 279
Content-Type: application/octet-stream
Powered-By-ChinaCache: MISS from CNC-BJ-D-3S1
Connection: keep-alive

[DEFAULT]
BASEURL = http://www.114la.com /? Desk
[InternetShortcut]
URL = http://www.114la.com /? Desk
IDList =
IconFile = http://www.114la.com/favicon.ico
[{000214A0-0000-0000-C000-000000000046}]
Prop3 = 19,2
[InternetShortcut. A]
[InternetShortcut. W]
IconFile = E: + AFyPb072fxaPkQBc-favicon.ico

C:>

Unfortunately, Content-Type: application/octet-stream cannot take advantage of the http Response Header Cross-Site Scripting Vulnerability. I don't know who can do it?