Discuz! - "popular web forum applications in China".
Due to input validation flaw, malicious attackers can cause the Discuz program to run arbitrary commands with the privilege of the HTTPD process.
Credit:
The information has been provided by SSR Team.
Details
Vulnerable Systems:
* Discuz! version 4.0.0 rc4 and prior
Discuz! doesn't properly check multiple extensions of uploaded files, allowing malicious attackers to upload a file with multiple extensions such as attach.php.php.php.php.rar to a web server.
This can be exploited to run arbitrary commands with the privilege of the HTTPD process, which is typically run as the nobody user.
Workaround:
Exclude the RAR extension from the extension list for attached files on an administration page and wait the release of official patch.
Disclosure Timeline:
* 24.07.05 - Vulnerability found
* 25.07.05 - Vendor notified
* 12.08.05 - Official release
这是在http://www.securiteam.com/unixfocus/5WP0F1FGKG.html 站点上看到的漏洞公告
自己马上在本地进行了测试,事实证明可以执行任意指令,用
存为cmd.php再打包成p11.php.php.php.php.php.php.php.php.php.php.php.php.rar
上传到数据库,更名为p11.php.php.php.php.php.php.php.php.php.php.php.php_6nOXtmZPWv90.rar
可看出文件名已经修改,可是自己是看不到后面这个文件名的,也就没有路径自己。
抓包,嗅探都找不到文件路径,然后自己进后台,附件管理,可查看文件名,用lanker 马客户端
连接可执行命令,难点是如何的到上传文件路径,昨晚努力了很久,都无法获得路径
以前也来EST,就是经常潜水,现在好不容易有问题可以提出,本人菜鸟一个,在此求助帮忙
Vulnerable Systems:
* Discuz! version 4.0.0 rc4 and prior,漏洞非常之广,反盗链技术discuz又好
真的不是象我这样的菜鸟能搞定漏洞利用的,依然在研究代码中```
标签:
