这个漏洞已经在discuz! x1版本悄悄给补上了,但是7.2及以下含有uc接口的版本的均没有补。
当然,漏洞是依旧是鸡肋的,想要利用这个漏洞,必须满足两点条件:
1.必须知道UC_KEY,通常在配置文件里,或者ucenter的原始(没有经过修改的)数据库(应用)中;
2.配置文件config.inc.php必须可写。
一、漏洞代码:...
function updateapps($get, $post) {
global $_DCACHE;
if(!API_UPDATEAPPS) {
return API_RETURN_FORBIDDEN;
}
$UC_API = $post['UC_API'];
if(empty($post) || empty($UC_API)) {
return API_RETURN_SUCCEED;
}
$cachefile = $this->appdir.'./uc_client/data/cache/apps.php';
$fp = fopen($cachefile, 'w');
$s = "<?phprn ";
$s .= '$_CACHE[\'apps\'] = '.var_export($post, TRUE).";rn";
fwrite($fp, $s);
fclose($fp);
if(is_writeable($this->appdir.'./config.inc.php')) {
$configfile = trim(file_get_contents($this->appdir.'./config.inc.php'));
$configfile = substr($configfile, -2) == '?>' ? substr($configfile, 0, -2) : $configfile;
$configfile = preg_replace("/define('UC_API',s*'.*?');/i", "define('UC_API', '$UC_API');", $configfile);//这里的问题
if($fp = @fopen($this->appdir.'./config.inc.php', 'w')) {
@fwrite($fp, trim($configfile));
@fclose($fp);
}
}
global $_DCACHE;
require_once $this->appdir.'./forumdata/cache/cache_settings.php';
require_once $this->appdir.'./include/cache.func.php';
foreach($post as $appid => $app) {
if(!empty($app['viewprourl'])) {
$_DCACHE['settings']['ucapp'][$appid]['viewprourl'] = $app['url'].$app['viewprourl'];
}
}
updatesettings();
return API_RETURN_SUCCEED;
}
...
二、修复方法://将这段代码
$configfile = preg_replace("/define('UC_API',s*'.*?');/i", "define('UC_API', '$UC_API');", $configfile);
//更换成这段代码
$configfile = preg_replace("/define\('UC_API',\s*'.*?'\);/i", "define('UC_API', '".addslashes($UC_API)."');", $configfile);
三、补丁文件: