Discuz!后台得到Webshell全过程,站长须防范
Discuz!后台得到Webshell全过程,站长须防范
今天烈火小编在订阅的博客中发现了《Discuz!后台怎么拿到Webshell》一文,看来黑客是无孔不入的,那么作为站长和网管,我们怎么进行防范呢?首先我们需要了解discuz的漏洞,了解得到webshell的过程。下面来看原文:既然还没跪,我就从Discuz!古老的6.0版本开始,漏洞都出现在扩展插件上,利用方式有所不同,下面开始。
一 Discuz! 6.0 和 Discuz! 7.0
既然要后台拿Shell,文件写入必看。
/include/cache.func.php
function writetocache($script, $cachenames, $cachedata = ”, $prefix = ‘cache_’) {
global $authkey;
if(is_array($cachenames) && !$cachedata) {
foreach($cachenames as $name) {
$cachedata .= getcachearray($name, $script);
}
}
$dir = DISCUZ_ROOT.’./forumdata/cache/’;
if(!is_dir($dir)) {
@mkdir($dir, 0777);
}
if($fp = @fopen(“$dir$prefix$script.php”, ‘wb’)) {
fwrite($fp, “<?php\n//Discuz! cache file, DO NOT modify me!”.
“\n//Created: “.date(“M j, Y, G:i”).
“\n//Identify: “.md5($prefix.$script.’.php’.$cachedata.$authkey).”\n\n$cachedata?>”);
fclose($fp);
} else {
exit(‘Can not write to cache files, please check directory ./forumdata/ and ./forumdata/cache/ .’);
}
}
往上翻,找到调用函数的地方.都在updatecache函数中.
if(!$cachename || $cachename == ‘plugins’) {
$query = $db->query(“SELECT pluginid, available, adminid, name, identifier, datatables, directory, copyright, modules FROM {$tablepre}plugins”);
while($plugin = $db->fetch_array($query)) {
$data = array_merge($plugin, array(‘modules’ => array()), array(‘vars’ => array()));
$plugin['modules'] = unserialize($plugin['modules']);
if(is_array($plugin['modules'])) {
foreach($plugin['modules'] as $module) {
$data['modules'][$module['name']] = $module;
}
}
$queryvars = $db->query(“SELECT variable, value FROM {$tablepre}pluginvars WHERE pluginid=’$plugin[pluginid]‘”);
while($var = $db->fetch_array($queryvars)) {
$data['vars'][$var['variable']] = $var['value'];
}
//注意
writetocache($plugin['identifier'], ”, “\$_DPLUGIN['$plugin[identifier]‘] = “.arrayeval($data), ‘plugin_’);
}
}
如果我们可以控制$plugin['identifier']就有机会,它是plugins表里读出来的.
去后台看看,你可以发现identifier对应的是唯一标示符.联想下二次注射,单引号从数据库读出后写入文件时不会被转义.贱笑一下.
但是……你懂的,当你去野区单抓对面DPS时,发现对面蹲了4个敌人的心情.
/admin/plugins.inc.php
if(($newname = trim($newname)) || ($newidentifier = trim($newidentifier))) {
if(!$newname) {
cpmsg(‘plugins_edit_name_invalid’);
}
$query = $db->query(“SELECT pluginid FROM {$tablepre}plugins WHERE identifier=’$newidentifier’ LIMIT 1″);
//下面这个让人蛋疼欲裂,ispluginkey判定newidentifier是否有特殊字符
if($db->num_rows($query) || !$newidentifier || !ispluginkey($newidentifier)) {
cpmsg(‘plugins_edit_identifier_invalid’);
}
$db->query(“INSERT INTO {$tablepre}plugins (name, identifier, available) VALUES (‘”.dhtmlspecialchars(trim($newname)).”‘, ‘$newidentifier’, ’0′)”);
}
//写入缓存文件
updatecache(‘plugins’);
updatecache(‘settings’);
cpmsg(‘plugins_edit_succeed’, ‘admincp.php?action=pluginsconfig’);
还好Discuz!提供了导入的功能,好比你有隐身,对面没粉.你有疾风步,对面没控.好歹给咱留条活路.
elseif(submitcheck(‘importsubmit’)) {
$plugindata = preg_replace(“/(#.*\s+)*/”, ”, $plugindata);
$pluginarray = daddslashes(unserialize(base64_decode($plugindata)), 1);
//解码后没有判定
if(!is_array($pluginarray) || !is_array($pluginarray['plugin'])) {
cpmsg(‘plugins_import_data_invalid’);
} elseif(empty($ignoreversion) && strip_tags($pluginarray['version']) != strip_tags($version)) {
cpmsg(‘plugins_import_version_invalid’);
}
$query = $db->query(“SELECT pluginid FROM {$tablepre}plugins WHERE identifier=’{$pluginarray[plugin][identifier]}’ LIMIT 1″);
//判断是否重复,直接入库
if($db->num_rows($query)) {
cpmsg(‘plugins_import_identifier_duplicated’);
}
$sql1 = $sql2 = $comma = ”;
foreach($pluginarray['plugin'] as $key => $val) {
if($key == ‘directory’) {
//compatible for old versions
$val .= (!empty($val) && substr($val, -1) != ‘/’) ? ‘/’ : ”;
}
$sql1 .= $comma.$key;
$sql2 .= $comma.’\”.$val.’\”;
$comma = ‘,’;
}
$db->query(“INSERT INTO {$tablepre}plugins ($sql1) VALUES ($sql2)”);
$pluginid = $db->insert_id();
foreach(array(‘hooks’, ‘vars’) as $pluginconfig) {
if(is_array($pluginarray[$pluginconfig])) {
foreach($pluginarray[$pluginconfig] as $config) {
$sql1 = ‘pluginid’;
$sql2 = ‘\”.$pluginid.’\”;
foreach($config as $key => $val) {
$sql1 .= ‘,’.$key;
$sql2 .= ‘,\”.$val.’\”;
}
$db->query(“INSERT INTO {$tablepre}plugin$pluginconfig ($sql1) VALUES ($sql2)”);
}
}
}
updatecache(‘plugins’);
updatecache(‘settings’);
cpmsg(‘plugins_import_succeed’, ‘admincp.php?action=pluginsconfig’);
}
- 共6页:
- 上一页
- 1
- 2
- 3
- 4
- 5
- 6
- 下一页
评论暂时关闭