discuz x2-3 后台拿shell简要分析
(discuz都x3了,你的BMW x3在哪) by fake
首先原文地址 http://www.unhonker.com/bug/1217.html
先跳过这第一步
“查看源代码打印帮助
Content-Disposition: form-data; name=”settingnew[profilegroupnew][base][available]”
改为
Content-Disposition: form-data; name=”settingnew[profilegroupnew][plugin][available]”
”
这个先不管
直接看/home.php?mod=spacecp&id=../../robots.txt%00
![图片[1]-Discuz X2-3 Shell Exploit Analysis, PHP Template Injection](https://www.77169.net/wp-content/uploads/2017/05/1305291307092dad07b7255680.jpeg)
访问的是home.php 参数mod=spacecp&id=
看home.php源码
![图片[2]-Discuz X2-3 Shell Exploit Analysis, PHP Template Injection](https://www.77169.net/wp-content/uploads/2017/05/13052913072675ad000fa8b02f.jpeg)
直接调用libfile函数 进入\source\module\home\home_space.php
这里x2.5跟x3有点不一样 x2.5因为没有提交ac参数,默认为profile
![图片[3]-Discuz X2-3 Shell Exploit Analysis, PHP Template Injection](https://www.77169.net/wp-content/uploads/2017/05/1305291307303fea5827afc0a0.jpeg)
![图片[4]-Discuz X2-3 Shell Exploit Analysis, PHP Template Injection](https://www.77169.net/wp-content/uploads/2017/05/1305291307d987b746d3ab7871.jpeg)
require_once 进入 \source\include\spacecp\spacecp_profile.php
![图片[5]-Discuz X2-3 Shell Exploit Analysis, PHP Template Injection](https://www.77169.net/wp-content/uploads/2017/05/130529130787af3077f6603699.jpeg)
执行到include template ,看看template函数 在\source\function\function_core.php文件
![图片[6]-Discuz X2-3 Shell Exploit Analysis, PHP Template Injection](https://www.77169.net/wp-content/uploads/2017/05/1305291307d35f3041f06e68fd.jpeg)
执行到checktplrefresh函数,在同一文件\source\function\function_core.php文件
![图片[7]-Discuz X2-3 Shell Exploit Analysis, PHP Template Injection](https://www.77169.net/wp-content/uploads/2017/05/1305291307c0dca59172a1a5ed.jpeg)
进入函数后执行到parse_template函数,继续看parse_template函数,在\source\class\class_template.php
![图片[8]-Discuz X2-3 Shell Exploit Analysis, PHP Template Injection](https://www.77169.net/wp-content/uploads/2017/05/1305291307143d81b41fa1ba49.jpeg)
fopen打开模板,即\template\default\home\space_profile.htm
![图片[9]-Discuz X2-3 Shell Exploit Analysis, PHP Template Injection](https://www.77169.net/wp-content/uploads/2017/05/13052913073b30e3580147b244.jpeg)
最终发现目标,至于模板执行的东西可以看参考这个网页
http://www.jb51.net/article/19712.htm
这里需要 $operation == ‘plugin’
这就是第一步
Content-Disposition: form-data; name=”settingnew[profilegroupnew][base][available]”
改为
Content-Disposition: form-data; name=”settingnew[profilegroupnew][plugin][available]”
的原因
具体$operation哪里来的,可以看\source\include\spacecp\spacecp_profile.php
![图片[10]-Discuz X2-3 Shell Exploit Analysis, PHP Template Injection](https://www.77169.net/wp-content/uploads/2017/05/1305291307ed82b70773d1538c.jpeg)
这个$profilegroup参数受后台控制来自\source\admincp\admincp_setting.php文件
$settingnew[‘profilegroupnew’]
![图片[11]-Discuz X2-3 Shell Exploit Analysis, PHP Template Injection](https://www.77169.net/wp-content/uploads/2017/05/13052913072ac68a59aca5d98b.jpeg)
最终提交id包含执行。
至于为什么要截断,是因为多了个尾巴。
![图片[12]-Discuz X2-3 Shell Exploit Analysis, PHP Template Injection](https://www.77169.net/wp-content/uploads/2017/05/1305291307295c6fb1ab406fbe.jpeg)
Over!
有什么错误请联系http://t.qq.com/fake_wang
暂无评论内容