Principle Analysis of automatic cracking tools on Discuz Forum

Principle Analysis of automatic cracking tools on Discuz Forum

Recently, tools used to crack the Discuz Forum username and password by using a social engineering database have leaked many large forum user information. The analysis principles are as follows.
Here, Discuz determines that the access IP address mainly uses the following logic:
 

private function _get_client_ip() {                   $ip = $_SERVER[;REMOTE_ADDR;];                   if (isset($_SERVER[;HTTP_CLIENT_IP;]) && preg_match(‘/^([0-9]{1,3}\.){3}[0-9]{1,3}$/’, $_SERVER[;HTTP_CLIENT_IP;])) {                            $ip = $_SERVER[;HTTP_CLIENT_IP;];                   } elseif(isset($_SERVER[;HTTP_X_FORWARDED_FOR;]) AND preg_match_all(‘#\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}#s’, $_SERVER[;HTTP_X_FORWARDED_FOR;], $matches)) {                            foreach ($matches[0] AS $xip) {                                     if (!preg_match(‘#^(10|172\.16|192\.168)\.#’, $xip)) {                                               $ip = $xip;                                               break;                                     }                            }                   }                   return $ip;}

If clientip exists in the http head, it is regarded as clientip. If an XFF header exists, it is regarded as XFF. If neither of them exists, $ _ SERVER [; REMOTE_ADDR;] is taken directly. In fact, this logic has a vulnerability. If we construct an http head and add the clientip and XFF fields to it, we can easily bypass the DZ anti-Brute Force speculation mechanism, DZ only blocks the forged clientip and xff ip addresses without limiting the real IP addresses.
0 × 01 DZ anti-brute force cracking mechanism
Here, we take DZ X2.5 as an example to track the user login logic and log on to the on_login () under class_member.php. Here, DZ will first determine whether the number of user logon failures is greater than 4, that is, its explosion-proof mechanism. Here, the logincheck () function is executed,

We can see that this fetch_username will go to the pre_common_failedlogin table to query the number of Logon failures. Here, $ _ G ['clientip'] is used.

The content obtained by $ _ G ['clientip'] is the _ get_client_ip function implementation mentioned above,


Here, fetch_username will go to the pre_common_failedlogin table to query the number of Logon failures,

Continue to track the following content and return to the logincheck code. The $ return code later checks whether the query record and the time from the last logon failure are more than 15 minutes, $ return is 0, indicating that the number of Logon failures is greater than 4,

Because 0 is returned here, the logon Failure prompt is returned when you enter showmessage ('login _ strike.

The returned result is as follows:

The above content only analyzes the mechanism of DZ to prevent brute force cracking, we can see that when the http head has both client-ip, X-FORWARDED-FOR and $ _ SERVER ['remote _ ADDR, DZ takes the client-ip, X-FORWARDED-FOR as the source IP, so the blocked is always client-ip or XFF, without affecting the real connection IP. Let's go back to the problem. The tool is used to construct brute-force request cracking. As for the use of the social engineering database, however, some interfaces provided by known social engineering websites are used to hit the database to query user passwords, such as www.bkjia.com.
0 × 02 temporary solution
Enable the verification code. Here we use DZ X2.5 as an example ,:


As for Credential stuffing by social engineering, it is no different from normal login behavior. Therefore, we recommend that you change the password as soon as possible and set a strong password. Avoid using a unified password for multiple accounts.