Discuz! A unified csrf + SQL batch execution risk (dz3.x, dz7.x, SupeSite7.x, etc.) exists in its products)

Discuz! A unified csrf + SQL batch execution risk (dz3.x, dz7.x, SupeSite7.x, etc.) exists in its products)

Discuz! The product has a single SQL batch execution risk (dz3.x, dz7.x, SupeSite7.x, and so on)

When I checked the SupeSite7.x product of dz today, I found that a uniform dz has the risk of taking off pants:



Directly look at the code. We caught a link during database Restoration:



Http: // 192.168.10.70/SupeSite7.5 _ SC _UTF8/upload // admincp. php? Action = database & op = importstart & do = import & datafile =./backup_OpVKpM/140928_0Idz28GO-1. SQL







This link refers to reading SQL statements from a file and restoring them.



Let's analyze the Code:

Admin_databases.php: (457-483 ):
 

Elseif ($ op = 'portstart') {$ do = postget ('Do '); $ delunzip = postget ('delunzip '); $ datafile = postget ('datafile'); $ confirm = postget ('Confirm'); $ multivol = postget ('multivol '); $ datafile_vol1 = postget ('datafile _ vol1'); $ autoimport = postget ('autoimport'); if ($ do = 'zip') {require_once S_ROOT. '. /include/zip. lib. php '; $ unzip = new SimpleUnzip (); $ unzip-> ReadFile ($ datadir. '/'. $ datafile); echo $ datadir.' /'. $ Datafile; echo "<br>"; echo $ unzip-> GetName (0); exit; if ($ unzip-> Count () = 0 | $ unzip-> GetError (0 )! = 0 |! Preg_match ('/\. SQL $/I ', $ importfile = $ unzip-> GetName (0) {showmessage ('database _ import_file_illegal');} $ identify = explode (',', base64_decode (preg_replace ('/^ # identify: \ s * (\ w + ). */s ',' \ 1 ', substr ($ unzip-> GetData (0), 0,256); $ info = basename ($ datafile ). '<br/> '. $ alang ['database _ export_version ']. ':'. $ identify [1]. '<br/> '. $ alang ['database _ export_type ']. ':'. $ alang ['database _ export _'. $ identify [2] ]. '<Br/>'. $ alang ['database _ method']. ':'. ($ identify [3] = 'multivol '? $ Alang ['database _ multivol ']: $ alang ['database _ shell']). '<br/>'; // check the version number $ confirm = isset ($ confirm )? 1: 0;

The url logic is not going to be here. Let's change the url:



Http: // 192.168.10.70/SupeSite7.5 _ SC _UTF8/upload // admincp. php? Action = database & op = importstart & do = zip & datafile =./backup_OpVKpM/xxxx.png





Here we select do as zip and datafile as a png. The key issue is here.





First, compress an SQL file into a zip file, and then change the suffix of the zip file to png.



As a result, the zip file is not judged here, but an SQL suffix is used to determine the extracted file.



Let's print it and see if it can be decompressed.
 

Haha so far, I will not do more demonstrations. The subsequent steps are to execute them one by one based on the code in the SQL statement.



I sent a lot of csrf of this type, which is also a get type. It looks like, it's done with an image.





Next we will analyze DZ3.x and dz3.x for database restoration, there is no restore. php under the data Directory.

You need to copy it from the tool side. Here we only analyze the risks and read the code.



Restore. php :( 142-162 ):
 

} elseif($operation == 'importzip') {if(!getgpc('datafile_server')) {show_msg('database_import_file_illegal');} else {$datafile_server = getgpc('datafile_server');if(!@file_exists($datafile_server)) {show_msg('database_import_file_illegal');}}$datafile_vol1 = trim(getgpc('datafile_vol1', 'G'));$multivol = intval(getgpc('multivol', 'G'));require_once ROOT_PATH.'./source/class/class_zip.php';$unzip = new SimpleUnzip();$backupdir = substr($datafile_server, 8, 13);$unzip->ReadFile($datafile_server);if($unzip->Count() == 0 || $unzip->GetError(0) != 0 || !preg_match("/\.sql$/i", $importfile = $unzip->GetName(0))) {show_msg('database_import_file_illegal');}

I don't know if the datafile_server type here is zip, and I didn't judge the file suffix. I decompress the SQL file and execute the statements one by one. I won't prove it here.



We can directly check 7.x, 7.x, but we don't need to copy and restore files. You can directly operate the database.



First look at the code



Db. inc. php :( 323-339 ):
 

} elseif($operation == 'importzip') {if(empty($datafile_server)) {cpmsg('database_import_file_illegal', '', 'error');} else {$datafile_server = DISCUZ_ROOT.'./forumdata/'.$backupdir.'/'.basename($datafile_server);if(!@file_exists($datafile_server)) {cpmsg('database_import_file_illegal', '', 'error');}}require_once DISCUZ_ROOT.'admin/zip.func.php';$unzip = new SimpleUnzip();$unzip->ReadFile($datafile_server);if($unzip->Count() == 0 || $unzip->GetError(0) != 0 || !preg_match("/\.sql$/i", $importfile = $unzip->GetName(0))) {cpmsg('database_import_file_illegal', '', 'error');}

The code here is still not tested for zip suffixes. Here we print the process to prove that it can be executed in batches by csrf + SQL.



We recover the database and capture a get link:

Http: // 192.168.10.70/Discuz_7.2_ SC _UTF8/upload/admincp. php? Action = db & operation = import & from = server & datafile_server =./forumdata/backup_997165/140915_ce31AeXP-1. SQL & importsubmit = yes





Let's modify this link.



Http: // 192.168.10.70/Discuz_7.2_ SC _UTF8/upload/admincp. php? Action = db & operation = importzip & from = server & datafile_server =./forumdata/backup_997165/xxxx.png & importsubmit = yes





After a SQL file is compressed as xxxx.zip, it is changed to xxxx.png. During the test, we put the file under this directory. Because this directory supports directory traversal, it will be okay to upload an image at the front end.

Print in the Code:
 

require_once DISCUZ_ROOT.'admin/zip.func.php';$unzip = new SimpleUnzip();$unzip->ReadFile($datafile_server);echo $unzip->GetName(0);exit;

Result:


 

After that, I will not demonstrate how to execute SQL statements in batches using csrf + get requests. This is actually quite serious because it supports various operations and root can escalate permissions.
 

Solution:

Enhanced Filtering