Discuz2 Upload Vulnerability Analysis Upload Vulnerability Transform
XIAOLU brother's http://www.666w.cn/art/735.htmdiscuz2 Upload Vulnerability Analysis Upload Vulnerability Transform Using Discuz Forum with its beautiful interface, complete function is favored by many webmasters, possession in the PHP Forum Very large market, from all respects can be comparable to the mobile network forum. 2.0 Although it belongs to the old version, there is still a large part of the users being used. Since September Discuz has burst a vulnerability, several vulnerabilities have been successively opened, but these vulnerabilities either have little effect, or it is difficult to use. I wrote a Discuz utilization program, often someone asked me how to use it, I can't answer. To this end, I read the discuz source code and found that there is a problem with the upload. After testing, there is this problem under Win2000 and Red Hat, but some UNIX systems are not affected. The article is written about how to discover the upload vulnerability, give everyone a little idea, where the source program please go online to download the free version. A vulnerability analysis I first said a bug of Discuz2 or higher. Its INCLUDE / COMMON.PHP has a physical path leak vulnerability. Require $ discuz_root. '. / config.php'; Require $ discuz_root. '. / include / global.php'; Require $ discuz_root. '. / include / db _'. $ database. '. PHP'; this code $ Discuz_root defaults to ".", is the meaning of the current directory, if there is no include option in php.ini, the system will not find config.php because the system considers that common.php is included by other files. And the file containing it is on the inscribed directory, so the code is written like this, but the system is not possible to block us from accessing common.php. So, if we submit (my machine as an example) http://localhost/discuz/include/common.php will disclose the physical path. Ok, cut into the topic, start to analyze how the upload vulnerability is formed and how to use it. The upload function of the Discuz Forum is Attach_UPLOAD below include / post.php. I will explain the execution process of the program step by step, and I will explain it in the critical code.
global $ discuz_root, $ attachsave, $ attach, $ attach_name, $ attach_size, $ attach_fname, $ attachdir, $ maxattachsize, $ attachextensions; // get a global variable if (function_exists ( 'is_uploaded_file')!) {if (is_uploaded_file ($! Attach)) {Return False;}} elseif (! ($ attach! = 'NONE' && $ Attach && Trim ($ attach_name))) {Return False;} // Decision $ attach variable is an upload file, not function ends, we upload must be a file $ attach_name = daddslashes ($ attach_name); if (! '.' $ attachextensions && @ eregi (substr (strrchr ($ attach_name,), 1), $ attachextensions)) {showmessage ( ' Post_attachment_ext_notallowed ');} // Key code, determine if the extension meets the requirements, the default installation is empty, then this if statement jumps, this is what we hope. But the usual website will be set up, and this problem is discussed in detail later.
if {showmessage ( 'post_attachment_toobig');} ($ attach_size || ($ maxattachsize && $ attach_size> $ maxattachsize)!) // determine the file size, configured to look for sentence we have no effect, regardless skip $ filename = $ attach_name $ extension = start (SUBSTR (Strrchr ($ filename, '.'), 1)); if ($ attachsave) {Switch ($ attachsave) {Case 1: $ attach_subdir = 'forumID _'. $ globals ['fid' ]; Break; Case 2: $ attach_subdir = 'ext_'. $ extension; break; casse 3: $ attach_subdir = 'month _'. Date ('ym'); Break; Case 4: $ attach_subdir = 'day _'. Date ( 'ymd'); Break;} if (! is_dir ($ discuz_root. '. /'. $ attachdir. '/'. $ attach_subdir) {mkdir ($ discuz_root. '. /'. $ attachdir. '/'. $ attach_subdir, 0777);} $ attach_fname = $ attach_subdir. '/';} else {$ attach_fname = ';} // How to save, the default is to put in the forum attachments directory, but some forums are classified according to the forum ID , Or date classification, depending on the specific forum, but impact on our influence $ filename = Substr ($ FileName, 0, Strlen ($ filename) - Strlen ($ extension) - 1); if (preg_match ("/ [/ X7F- / XFF] / S ", $ filename)) {$ filename = str_replace ('/', '', base64_encode (substr ($ filename, 0, 20)));} // Filter Non-ASCII Character IF In_Array ($ Extension, Array ('PHP', 'PHP3', 'JSP ',' ASP ',' CGI ',' PL ')) {$ extension =' _ '. $ extension;} // Key code, judging the extension is illegal to prevent people malicious upload WebShell. However, our constructor should spare this statement $ attach_fname. = Random (4). "_ $ Filename. $ Extension; $ attach_saved = false; $ source = stripsLashs ($ discuz_root. '. /'. $ Attachdir. ' I // / $ 生 路 代 代 省 省 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无 无).
Well, we started to track $ SOURCE variables, you can see it is three variables: $ discuz_root is defined, $ attachdir is also defined, uniquely controlling $ attach_fname variable. Ok, then track the $ attach_fname variable, consist of four random strings, one underscore and two variables, $ attach_fname. = Random (4). "_ $ Filename. $ Extension"; nonsense, I said this Expand, with the most original variable (we can construct the variable), turn into the following format (don't tell me how you have not learned an algebra), random string is represented by ABCD. $ extension = start (SUBSTR (Strrchr ($ attach_name, '.'), 1)); $ filename = Substr ($ attach_name, 0, strlen ($ attach_name) - Strlen ($ extension) - 1); $ attach_fname = " ABCD_ $ filename. $ extentsion "; where $ attach_name is we submitted, we submit a picture file according to normal thinking, get the following results. $ attach_name = "Test.jpg" $ extension = "jpg" $ filename = "test" $ attach_fname = "abcd_test.jpg" See how the result is generated? We should get the shell by non-normal thinking, see how to use the vulnerability. Two vulnerability transform utilizes the above analysis, you already know how the program runs. I directly give a method of getting WebShell and analyze how to skip the program check, other use methods can everyone can see the benevolence, the wise people witnessed. We set the value of $ attach_name "/../../ Test.php." (Note the last point). As for why $ attach_name we can construct, and it is any configuration. This requires some PHP scripting knowledge and the foundation of the HTTP protocol, the limited space, no longer introduced. Because this article is longer, it will be submitted to the packet, with a Perl source code, you can view the file name constructed part. How to bypass the verification and analyze the key code. if (! '.' $ attachextensions && @ eregi (substr (strrchr ($ attach_name,), 1), $ attachextensions)) {showmessage ( 'post_attachment_ext_notallowed');} Obviously, if $ attachextensions empty sentence unconditionally Skip, if $ attachextensions is similar to "JPG, GIF, TXT, ZIP, RAR" form, then we have just been constructed, the system will report an error, this situation will use, etc., here we assume this sentence Can skip execution. $ EXTENSION = STRTOLOWER (SUBSTR (Strrchr ($ filename, '.'), 1)); here's $ filename value is "/../../test.php.", after this sentence, $ EXTENSION is empty.
$ filename = SUBSTR ($ FileName, 0, Strlen ($ filename) - Strlen ($ extension) - 1); Finally no point. IF (In_Array ($ EXTENSION, Array ('PHP', 'PHP3', 'JSP', 'ASP', 'CGI', 'PL')) {$ extension = '_'. $ extension;} because $ extension It is empty, so this sentence is jumped. To this $ attach_fname = "abcd _ / .. / .. / Test.php." (Random string ABCD instead) We assume $ discuz_root = "e: / www / discuz", then $ source = "E: / WWW / Discuz / attachments / abcd _ / .. / .. / Test.php. "See it, after we construct the file name, it turns into the above look, where is it to save? Because the Windows system ignores the last point, the Linux system reserves the order, but still can't get the shell. In this way, we pass your shell to the root of the forum. If it is a Linux system, it is necessary to bring the last point when executed, and Windowsj does not have to be, the connection address is as follows. Http://localhost/discuz/test.php here, how to pass the procedural verification and how to get the shell is written. Go back to the question, if the system sets $ attachextensions? It is assumed that the value is "GIF, JPG, SWF, TXT, ZIP, RAR", most of which are like this. Everyone can think of how to use it, I also think of it, this method is not big, but as an experience, I still need to share with you, to carry forward the sharing spirit. With the above analysis foundation, I will not let me go, I am afraid that everyone is impatient. We build the value of $ attach_name as "/../../images/default/logo.gif", you should understand what it means? It is an image file that covers the system, or any file, including Flash files, etc. what's the point? The logo icon of the program is covered, it is really not used, but it is more than a drama. If you do a picture file yourself, the "The site has a vulnerability" and other words, and that administrator is definitely scared. This reminds me of several security websites in the previous month to rewrite the attack on the homepage of others' websites. I don't want everyone to use this vulnerability, and the loss is unfavorable. Covering the image file is meaningless, but the SWF file is meaningful, we can easily determine the path and file name of the website SWF, and general website or more SWF files, we cover these files, you can do cross-station scripts Attack, don't look at XSS, it is weak than the function of SQL injection, you can get sensitive information such as user cookie. Due to the constraint, it is no longer described again. Vulnerability utilization summary: 1. The version must be 2.0 (2.xx may also be affected), because the file name of the file name above is put in the back, I think I don't know how to use it for a long time, if you have a master, you can discuss together.
