Three minor questions about Ucserver

Three minor questions about Ucserver

A conditional SQL injection and two minor issues.

1. brute-force cracking.

The default Administrator of ucserver needs to enter the verification code for logon, and there is a limit on the number of logins, but in:

/Control/app. php does not limit the number of logins.


 

function onadd() {$ucfounderpw = getgpc('ucfounderpw', 'P');$apptype = getgpc('apptype', 'P');$appname = getgpc('appname', 'P');$appurl = getgpc('appurl', 'P');$appip = getgpc('appip', 'P');$viewprourl = getgpc('viewprourl', 'P');$appcharset = getgpc('appcharset', 'P');$appdbcharset = getgpc('appdbcharset', 'P');$apptagtemplates = getgpc('apptagtemplates', 'P');$appallowips = getgpc('allowips', 'P');if(md5(md5($ucfounderpw).UC_FOUNDERSALT) == UC_FOUNDERPW || (strlen($ucfounderpw) == 32 && $ucfounderpw == md5(UC_FOUNDERPW))) {

As long as the logon password is correct, you can add a client to connect to the ucserver and assign a uckey and database information.




 

else {//$return = "UC_STATUS_OK|$app[authkey]|$app[appid]|".UC_DBHOST.'|'.UC_DBNAME.'|'.UC_DBUSER.'|'.UC_DBPW.'|'.UC_DBCHARSET.'|'.UC_DBTABLEPRE.'|'.UC_CHARSET;$return = "$app[authkey]|$app[appid]|".UC_DBHOST.'|'.UC_DBNAME.'|'.UC_DBUSER.'|'.UC_DBPW.'|'.UC_DBCHARSET.'|'.UC_DBTABLEPRE.'|'.UC_CHARSET;}

2. When the uckey of the client is known, SQL injection is performed on the ucserver.



The code is in:

/Control/mail. php


 

function onadd() {$this->load('mail');$mail = array();$mail['appid']= $this->app['appid'];$mail['uids']= explode(',', $this->input('uids'));$mail['emails']= explode(',', $this->input('emails'));$mail['subject']= $this->input('subject');$mail['message']= $this->input('message');$mail['charset']= $this->input('charset');$mail['htmlon']= intval($this->input('htmlon'));$mail['level']= abs(intval($this->input('level')));$mail['frommail']= $this->input('frommail');$mail['dateline']= $this->time;return $_ENV['mail']->add($mail);}

$ Mail ['uid'] = explode (',', $ this-> input ('uid '));



In this Code, $ mail ['uids '] is finally entered into the SQL statement. The corresponding code is as follows:



Model/mail. php contains:


 

$mail['email_to'] = array();$uids = 0;foreach($mail['uids'] as $uid) {if(empty($uid)) continue;$uids .= ','.$uid;}$users = $this->db->fetch_all("SELECT uid, username, email FROM ".UC_DBTABLEPRE."members WHERE uid IN ($uids)");

$ Mail ['email _ to'] is put into $ uids, resulting in SQL injection.



3. Information Leakage: leakage of client applications and corresponding versions in ucserver



The code is in:

In control/app. php


 

function onls() {$this->init_input();$applist = $_ENV['app']->get_apps('appid, type, name, url, tagtemplates, viewprourl, synlogin');$applist2 = array();foreach($applist as $key => $app) {$app['tagtemplates'] = $this->unserialize($app['tagtemplates']);$applist2[$app['appid']] = $app;}return $applist2;}

Therefore, if $ this-> init_input (); runs correctly, the application and the corresponding version number in the ucserver will be thrown.



The api that uploads an avatar contains the information required by $ this-> input (). Let's take an official experiment.



Access after Logon:

Http://www.discuz.net/home.php? Mod = spacecp & ac = avatar


 

Obtain
 

http://uc.discuz.net/images/camera.swf?inajax=1&appid=13&input=2b310Oraxl%2BiVL8yXhYy7pJ5DkQOPHYLt2FRsTEIyOD3PMtxkbn%2FDKkzssQgMWYlBirpQPsYOuN4vT9J5mZF7V6Q%2BRD3A8GK9uBTSj8%2FCEOGkPH959sDeep%2FiFag6X8&agent=569b93c7d7e18a505d671ba495198a3a&ucapi=uc.discuz.net&avatartype=virtual&uploadSize=2048

Find out what we want


 

?inajax=1&appid=13&input=2b310Oraxl%2BiVL8yXhYy7pJ5DkQOPHYLt2FRsTEIyOD3PMtxkbn%2FDKkzssQgMWYlBirpQPsYOuN4vT9J5mZF7V6Q%2BRD3A8GK9uBTSj8%2FCEOGkPH959sDeep%2FiFag6X8&agent=569b93c7d7e18a505d671ba495198a3a&ucapi=uc.discuz.net&avatartype=virtual&uploadSize=2048

Click it to get:

Http://uc.discuz.net/index.php? M = app & a = ls & inajax = 1 & appid = 13 & input = 2b310Oraxl % signature % 2signature ag6x8 & agent = signature & ucapi = uc.discuz.net & avatartype = virtual & uploadSize = 2048



Access:


 

<? Xml version = "1.0" encoding = "ISO-8859-1"?> <Root> <item id = "14"> <item id = "appid"> <! [CDATA [14]> </item> <item id = "type"> <! [CDATA [UCHOME]> </item> <item id = "name"> <! [CDATA [uchome]> </item> <item id = "url"> <! [CDATA [ http://u.discuz.net/home ]> </Item> <item id = "tagtemplates"> <item id = "template"> <! [CDATA []> </item> <item id = "viewprourl"> <! [CDATA []> </item> <item id = "synlogin"> <! [CDATA [0]> </item> <item id = "9"> <item id = "appid"> <! [CDATA [9]> </item> <item id = "type"> <! [CDATA [OTHER]> </item> <item id = "name"> <! [CDATA [Manyou_UChome]> </item> <item id = "url"> <! [CDATA [ http://uchome.developer.manyou.com/uchome ]> </Item> <item id = "tagtemplates"> <item id = "template"> <! [CDATA []> </item> <item id = "viewprourl"> <! [CDATA [/space. php? Uid = % s]> </item> <item id = "synlogin"> <! [CDATA [1]> </item> <item id = "11"> <item id = "appid"> <! [CDATA [11]> </item> <item id = "type"> <! [CDATA [OTHER]> </item> <item id = "name"> <! [CDATA [handshaking]> </item> <item id = "url"> <! [CDATA [ http://sws.discuz.net/ ]> </Item> <item id = "tagtemplates"> <item id = "template"> <! [CDATA []> </item> <item id = "viewprourl"> <! [CDATA []> </item> <item id = "synlogin"> <! [CDATA [0]> </item> <item id = "13"> <item id = "appid"> <! [CDATA [13]> </item> <item id = "type"> <! [CDATA []> </item> <item id = "name"> <! [CDATA [Discuz!]> </Item> <item id = "url"> <! [CDATA [ http://www.discuz.net/ ]> </Item> <item id = "tagtemplates"> <item id = "template"> <! [CDATA [<a href = "{url }? Sid = "target =" _ blank "> {subject} </a>]> </item> <item id =" fields "> <item id =" subject "> <! [CDATA [title]> </item> <item id = "uid"> <! [CDATA [user ID]> </item> <item id = "username"> <! [CDATA [poster]> </item> <item id = "dateline"> <! [CDATA [date]> </item> <item id = "url"> <! [CDATA [subject address]> </item> <item id = "viewprourl"> <! [CDATA []> </item> <item id = "synlogin"> <! [CDATA [1]> </item> </root>

 

 

Proof of vulnerability:

 

In fact, the overall harm is quite large:



If you have a brute force ucserver administrator password, you can blacklist ucserver and uclient.



If you can blacklist any uclient application you listed, You can inject the uckey of the application into the ucserver.

Solution:

If the onls of uc is not used, you can remove or limit it.

Onadd can also limit the number of times.

SQL Injection directly performs intval in foreach.