欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

Discuz ssrf rce(redis情况下)

来源:安恒安全研究院 作者:佚名 时间:2016-06-27 TAG: 我要投稿

漏洞概述

discus支持多种缓存方式(redis,memcache),而一般情况下,大多数都会将redis或memcache安装在本地,而且默认安装的redis是可以直接访问的,不需要账号密码,这里就有一个潜在的问题,如果discuz的安全性得不到保证,存在ssrf,那么有几率导致ssrf操作redis从而修改缓存注入我们自己的代码。

漏洞详情

如果discuz启用后台的缓存,具体在“全局”—>”内存优化”中,默认这里是不启用的,要修改和启用缓存,我们需要修改discuz中config/config_golbal.php文件,修改里面关于redis的设置。当启用了redis后,discuz会将缓存存放在$_G中。
redis设置

接下来我们来分析具体代码
source\class\discuz\discuz_application.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
private function _init_setting() {
        if($this->init_setting) {
            if(empty($this->var['setting'])) {
                $this->cachelist[] = 'setting';
            }
 
            if(empty($this->var['style'])) {
                $this->cachelist[] = 'style_default';
            }
            if(!isset($this->var['cache']['cronnextrun'])) {
                $this->cachelist[] = 'cronnextrun';
            }
        }
        !empty($this->cachelist) && loadcache($this->cachelist);
        if(!is_array($this->var['setting'])) {
            $this->var['setting'] = array();
        }
    }

调用缓存的地方
source\function\function_core.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
function output_replace($content) {
    global $_G;
    if(defined('IN_MODCP') || defined('IN_ADMINCP')) return $content;
    if(!empty($_G['setting']['output']['str']['search'])) {
        if(empty($_G['setting’]
['domain']['app']['default'])) {
            $_G['setting']['output']['str']['replace'] = str_replace('{CURHOST}', $_G['siteurl'], $_G['setting']['output']['str']['replace']);
        }
        $content = str_replace($_G['setting']['output']['str']['search'], $_G['setting']['output']['str']['replace'], $content);
    }
    if(!empty($_G['setting']['output']['preg']['search']) ; (empty($_G['setting']['rewriteguest']) || empty($_G['uid']))) {
        if(empty($_G['setting']['domain']['app']['default'])) {
            $_G['setting']['output']['preg']['search'] = str_replace('\{CURHOST\}', preg_quote($_G['siteurl'], '/'), $_G['setting']['output']['preg']['search']);
            $_G['setting']['output']['preg']['replace'] = str_replace('{CURHOST}', $_G['siteurl'], $_G['setting']['output']['preg']['replace']);
        }
        $content = preg_replace($_G['setting']['output']['preg']['search'], $_G['setting']['output']['preg']['replace'], $content);
    }
    return $content;
}

[1] [2] [3]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载