Discuz! 7.2 the following versions and various uc products api interface to Get webshell vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201028260
Type myhack58
Reporter 佚名
Modified 2010-11-04T00:00:00


For dz, we are more concerned about is to get the shell, but the dz stuff want to take the shell too hard too difficult, on an article at the end of the bedding the next, so this article is also not on the horse after cannon....this vulnerability has been in the discuz! x1 version quietly give up, but 7. 2 and following contain the uc interface of the version of the are did not fill.

This vulnerability is actually an old vulnerability, last year everyone would already know, is the second write to the configuration file vulnerability, is the beginning of the founder through the background ucenter get shell vulnerability of the further use of the approach. A lot of people know, uc. php in the code with that setting. inc. php is similar, but dz official in fix the background when not at the same time for this to be repaired, thus making this vulnerability has been there ever since.

Of course, the vulnerability is still tasteless, you want to take advantage of this vulnerability, you must meet the two point conditions:

  1. Must know UC_KEY, usually in a configuration file, or ucenter original not modified the database application;

  2. The configuration file config. inc. php must be written.

Well, look at the code it:

... function updateapps($get, $post) { global $_DCACHE; if(! API_UPDATEAPPS) { return API_RETURN_FORBIDDEN; } $UC_API = $post['UC_API'];

if(empty($post) empty($UC_API)) { return API_RETURN_SUCCEED; }

$cachefile = $this->appdir.'./ uc_client/data/cache/apps.php'; $fp = fopen($cachefile, 'w'); $s = "<? phprn"; $s .= '$_CACHE[\'apps\'] = '. var_export($post, TRUE)."; rn"; fwrite($fp, $s); fclose($fp);

if(is_writeable($this->appdir.'./ config.inc.php')) { $configfile = trim(file_get_contents($this->appdir.'./ config.inc.php')); $configfile = substr($configfile, -2) == '?& gt;' ? substr($configfile, 0, -2) : $configfile; $configfile = preg_replace("/define('UC_API',s'.?');/ i", "define('UC_API', '$UC_API');", $configfile);//here the problem if($fp = @fopen($this->appdir.'./ config.inc.php', 'w')) { @fwrite($fp, trim($configfile)); @fclose($fp); } }

global $_DCACHE; require_once $this->appdir.'./ forumdata/cache/cache_settings.php'; require_once $this->appdir.'./ include/cache.func.php'; foreach($post as $appid = > $app) { if(! empty($app['viewprourl'])) { $_DCACHE['settings']['ucapp'][$appid]['viewprourl'] = $app['url'].$ app['viewprourl']; } } updatesettings();

return API_RETURN_SUCCEED; } ...

How to repair, discuz! x1 is so fix:

$configfile = preg_replace("/define\('UC_API',\s'.?'\);/ i", "define('UC_API', '". addslashes($UC_API)."');", $configfile);

The specific I is not subdivided in the analysis, and before you speak, everyone can see my previous post of: http://www.oldjun.com/blog/index.php/archives/59/

I haven't see the dz, and had to retain for a long time the get webshell vulnerability basic one is released, and then is up...hope you still leave some useful exploits it, or really didn't play it if in the background there are words...

Publishing author: oldjun