请选择 进入手机版 | 继续访问电脑版

Discuz!大师网

搜索
查看: 1510|回复: 0

阿里云提示 Didcuz memcache+ssrf GETSHELL漏洞修复方法

[复制链接]
发表于 2017-4-7 03:56:00 | 显示全部楼层 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有账号?立即注册

x
近期很多使用阿里云的站长收到了阿里云给出的漏洞消息
漏洞名称如下:
Discuz memcache+ssrf GETSHELL漏洞
这里给大家提供一个简单的修复方案!
首先找到这个文件
source/function/function_core.php
搜索代码:
  1. function output_replace($content) {
  2.         global $_G;
  3.         if(defined('IN_MODCP') || defined('IN_ADMINCP')) return $content;
  4.         if(!empty($_G['setting']['output']['str']['search'])) {
  5.                 if(empty($_G['setting']['domain']['app']['default'])) {
  6.                         $_G['setting']['output']['str']['replace'] = str_replace('{CURHOST}', $_G['siteurl'], $_G['setting']['output']['str']['replace']);
  7.                 }
  8.                 $content = str_replace($_G['setting']['output']['str']['search'], $_G['setting']['output']['str']['replace'], $content);
  9.         }
  10.         if(!empty($_G['setting']['output']['preg']['search']) && (empty($_G['setting']['rewriteguest']) || empty($_G['uid']))) {
  11.                 if(empty($_G['setting']['domain']['app']['default'])) {
  12.                         $_G['setting']['output']['preg']['search'] = str_replace('\{CURHOST\}', preg_quote($_G['siteurl'], '/'), $_G['setting']['output']['preg']['search']);
  13.                         $_G['setting']['output']['preg']['replace'] = str_replace('{CURHOST}', $_G['siteurl'], $_G['setting']['output']['preg']['replace']);
  14.                 }

  15.                 foreach($_G['setting']['output']['preg']['search'] as $key => $value) {
  16.                         $content = preg_replace_callback($value, create_function('$matches', 'return '.$_G['setting']['output']['preg']['replace'][$key].';'), $content);
  17.                 }
  18.         }

  19.         return $content;
  20. }
复制代码


添加一行代码,如下

  1. function output_replace($content) {
  2.         global $_G;
  3.         if(defined('IN_MODCP') || defined('IN_ADMINCP')) return $content;
  4.         if(!empty($_G['setting']['output']['str']['search'])) {
  5.                 if(empty($_G['setting']['domain']['app']['default'])) {
  6.                         $_G['setting']['output']['str']['replace'] = str_replace('{CURHOST}', $_G['siteurl'], $_G['setting']['output']['str']['replace']);
  7.                 }
  8.                 $content = str_replace($_G['setting']['output']['str']['search'], $_G['setting']['output']['str']['replace'], $content);
  9.         }
  10.         if(!empty($_G['setting']['output']['preg']['search']) && (empty($_G['setting']['rewriteguest']) || empty($_G['uid']))) {
  11.                 if(empty($_G['setting']['domain']['app']['default'])) {
  12.                         $_G['setting']['output']['preg']['search'] = str_replace('\{CURHOST\}', preg_quote($_G['siteurl'], '/'), $_G['setting']['output']['preg']['search']);
  13.                         $_G['setting']['output']['preg']['replace'] = str_replace('{CURHOST}', $_G['siteurl'], $_G['setting']['output']['preg']['replace']);
  14.                 }
  15.                
  16.                 if (preg_match("(/|#|\+|%).*(/|#|\+|%)e", $_G['setting']['output']['preg']['search']) !== FALSE) { die("request error"); }//本行代码为新增代码
  17.                
  18.                 foreach($_G['setting']['output']['preg']['search'] as $key => $value) {
  19.                         $content = preg_replace_callback($value, create_function('$matches', 'return '.$_G['setting']['output']['preg']['replace'][$key].';'), $content);
  20.                 }
  21.         }

  22.         return $content;
  23. }
复制代码
然后将修改好的文件保存,上传到服务器目录覆盖一下,然后去阿里云对应漏洞提示后面点击“验证一下”,验证时候漏洞提示就会消失!
问题解决!


回复 马甲回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|网站地图|小黑屋|展会网|Discuz站长论坛 |天天打卡

GMT+8, 2024-3-29 15:44 , Processed in 0.022864 second(s), 5 queries , Gzip On, Redis On.

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表