Discuz! admin\runwizard.inc.php get-webshell bug

由于Discuz!的admin\runwizard.inc.php里saverunwizardhistory()写文件操作没有限制导致执行代码漏洞.

在文件admin\runwizard.inc.php里代码:

$runwizardhistory = array();
$runwizardfile = DISCUZ_ROOT.‘./forumdata/logs/runwizardlog.php’;
if($fp = @fopen($runwizardfile, ‘r’)) {
$runwizardhistory = @unserialize(fread($fp, 99999));
fclose($fp);
}

…

if(submitcheck('step1submit')) {
	$runwizardhistory['step1']['size'] = $size;
	$runwizardhistory['step1']['safe'] = $safe;
	$runwizardhistory['step1']['func'] = $func;
	saverunwizardhistory();
}
........

function saverunwizardhistory() {
global $runwizardfile, $runwizardhistory;
$fp = fopen($runwizardfile, ‘w’);
fwrite($fp, serialize($runwizardhistory));
fclose($fp);
}

上面代码可以看出来当有后台权限时,可以直接得到webshell.如果结合xss[如:SODB-2008-01,SODB-2008-02…等] crsf[如:SODB-2008-03]等漏洞,可以直接通过admin身份远程写入webshell执行代码.

2008-10
今天发布的dz7 bt版本[1]已经fix这个漏洞了:

function saverunwizardhistory() {
global $runwizardfile, $runwizardhistory;
$fp = fopen($runwizardfile, ‘w’);
$s = ‘<?php exit;?>’;
$s .= serialize($runwizardhistory);
fwrite($fp, $s);
fclose($fp);
}

[1]:<a href=“http://download.comsenz.com/Discuz/7.0.0Beta/Discuz_7_Beta_SC_GBK.zip” target=“_blank”>http://download.comsenz.com/Discuz/7.0.0Beta/Discuz_7_Beta_SC_GBK.zip</a>