0x1 前语 (Foreword) 原本我今日想学经过剖析下Fastjson反序列化缝隙学习java,还有研讨下php混杂解密和底层hook技能的,可是今日看到在群里看了这篇文章Discuz!ML v.3.X Code Injection Vulnerability,由于涉及到dz这一通用论坛架构,所以我饶有兴趣的跟进去看了下,其实这个dz多语言版在国内影响不是很大,可是上文没有给出缝隙成因,所以就有了这篇剖析文章。 (Today,i fistly want to learn java by reseaching the vulnerability of Fastjson deserialization vulnerablity, and i also want to study decrypt deconfusion of php and technology of underlying hook ,but today i saw this article Discuz!ML v.3.X Code Injection Vulnerability in the group because it involves the general forum structure of dz, so i followed it with interest . In fact Discuz!ML is not popular in nation, but i want to improve my ablity by writting article of analying the season excusing to this vulnerability)
0x2 关于Discuz!ML (About) Discuz!ML 是一个由CodersClub.org为了树立一个像“社会网络”的网络社区开发的可运用多种语言的,归纳,全面的,开源的web渠道,有许多论坛是根据这款软件(包含了v3.2,v3.3,v3.4)的。 可是值得一提的是,这套程序与咱们国内常用的discuz几乎没有很大联络,除了中心代码都是discuz,其实关于这个缝隙的损害你能够理解为一个dz插件的恣意代码履行。 ( Discuz!ML is a MultiLingual, integrated, full-featured, open-source web-platform created by CodersClub.org for build an Internet community like “Social Network”. There are hundreds of Forum that is created using these software comprises of v3.2,v3.3,v3.4 . It is worth mentioning that this program has little to do with domestic popular discuz,except that the core code。In fact,the hazard of this vulnerability can be understood as arbitary code execution of a disucz plugin。 )
0x3 缝隙剖析 (Vuln-Analysis) 由于我之前没有读过dz的程序,所以计划借着这次机会来简略通读下dz程序,所以你们也能够把这篇文章当作dz架构的解析文章。 米斯特的表哥已经在米斯特的公众号中发了一篇逆向剖析的代码审计,能够结合我这篇正向剖析来个互补。 首要咱们依照文章所给的复现poc,找到触发的文件姓名。
确认了文件名 forum.php 触发点在cookie里边 直接跟进这个文件姓名: /Users/xq17/www/dz/forum.php $Id: forum.php 31999 2012-10-30 07:19:49Z cnteacher $ * Modified by Valery Votintsev, codersclub.org */ //DEBUG //echo ' '; //echo '_FILE=', __FILE__, "n"; //echo '_ENV='; //print_r($_ENV); //echo '', "n"; define('APPTYPEID', 2); define('CURSCRIPT', 'forum'); require './source/class/class_core.php'; //这儿引入了中心类文件,这儿能够跟进 require './source/function/function_forum.php'; ........省掉下面 $Id: class_core.php 33982 2013-09-12 06:36:35Z hypowang $ * Modified by Valery Votintsev, codersclub.org */ error_reporting(E_ALL); define('IN_DISCUZ', true); /*vot*/ define('DISCUZ_ROOT', substr(dirname(str_replace('','/',__FILE__)), 0, -12)); //DEBUG //echo ' '; //echo 'DISCUZ_ROOT=', DISCUZ_ROOT, "n"; //echo '', "n"; define('DISCUZ_CORE_DEBUG', false); define('DISCUZ_TABLE_EXTENDABLE', false); //前面界说一些全局变量比方Discuz_ROOT根目录 set_exception_handler(array('core', 'handleException')); //设置反常处理 if(DISCUZ_CORE_DEBUG) { set_error_handler(array('core', 'handleError')); register_shutdown_function(array('core', 'handleShutdown')); } if(function_exists('spl_autoload_register')) { spl_autoload_register(array('core', 'autoload')); //注册autoload函数为__autoload的完成,这个效果是当在实例化一个未明确认义的类时去寻觅相应的文件载入 } else { function __autoload($class) { return core::autoload($class); } } C::creatapp(); //这儿经过效果域C直接调用creatapp发动函数,跟进这儿 这儿我简化下core类的代码,在 class_core.php 的 最终一句 class C extends core{} 说明晰C是承继core类的。 class core { private static $_tables; private static $_imports; private static $_app; private static $_memory; public static function app() { return self::$_app; } public static function creatapp() { //履行到这儿 if(!is_object(self::$_app)) { //$_app 不是目标 self::$_app = discuz_application::instance(); //经过instance办法实例化一个discuz_application目标 } return self::$_app;[1][2][3][4][5][6][7][8][9][10][11]黑客接单网