Discuz! 7.1 & amp; 7.2 background Remote Code Execution Vulnerability and repair

I saw this clear and clear code execution with the front-end code execution at the beginning of the year. I guess there are quite a few people who have seen it. Fortunately, no one has published it for so long, it has been used many times in the last six months,... however, in the end, some people can't help making announcements. You need to know that there will be only one release. In the future, what do you rely on to get the site?

This background execution is a consolation for the front-end execution at that time... I am glad to say that I have been here for more than half a year... I don't know if the t00ls server has been infiltrated. Is it a pity that the t00ls background has already completed this vulnerability at the beginning of the year?

In fact, this is an old problem, and I will not explain it too much. If you have nothing to do with the official site, continue to dig x1. Once 6.0, 7.0, 7.1, 7.2 are all dug up, if you encounter dz, Please bypass it...

Okay. Check the code. include/global. func. php:

Function sendpm ($ toid, $ subject, $ message, $ fromid = ){
If ($ fromid = ){
Require_once DISCUZ_ROOT ../uc_client/client. php;
$ Fromid = $ discuz_uid;
}
If ($ fromid ){
Uc_pm_send ($ fromid, $ toid, $ subject, $ message );
} Else {
Global $ promptkeys;
If (in_array ($ subject, $ promptkeys )){
$ Type = $ subject;
} Else {
Extract ($ GLOBALS, EXTR_SKIP );
Require_once DISCUZ_ROOT ../include/discuzcode. func. php;
Eval ("$ message = addslashes (" ". $ message." ");"); // This is the old question.
$ Type = systempm;
$ Message = <div>
. $ Subject. {time}
. Discuzcode ($ message, 1, 0 ).
</Div>

;
}
Sendnotice ($ toid, $ message, $ type );
}
}
The third parameter $ message must be controllable.

Method 1:

This function is used for front-end registration:

...
If ($ welcomemsg &&! Empty ($ welcomemsgtxt )){
$ Welcomtitle =! Empty ($ welcomemsgtitle )? $ Welcomemsgtitle: "Welcome to $ bbname! ";
$ Welcomtitle = addslashes (replacesitevar ($ welcomtitle ));
$ Welcomemsgtxt = addslashes (replacesitevar ($ welcomemsgtxt ));
If ($ welcomemsg = 1 ){
Sendpm ($ uid, $ welcomtitle, $ welcomemsgtxt, 0); // sends a forum short message. The third parameter is controlled in the background, from www.oldjun.com
} Elseif ($ welcomemsg = 2 ){
Sendmail ("$ username <$ email>", $ welcomtitle, $ welcomemsgtxt );
}
}
...
Therefore, the vulnerability can be successfully exploited by registering and Sending Short Messages under the background control.

Add {$ {phpinfo ()} to the content of the short message to be registered and sent. You can execute it. If you want exp, modify the one at the beginning of the year to be...

Method 2:

The backend member. inc. php can directly control $ message:

...
If (in_array ($ sendvia, array (pm, email ))){
$ Query = $ db-> query ("SELECT uid, username, groupid, email FROM {$ tablepre} members WHERE $ conditions LIMIT $ current, $ pertask ");
While ($ member = $ db-> fetch_array ($ query )){
$ Sendvia = pm? Sendpm ($ member [uid], $ subject, $ message, 0): sendmail ("$ member [username] <$ member [email]>", $ subject, $ message );
$ Continue = TRUE;
}
}
...
Modify the form...

As for exp, I don't want to send it out, but it's still based on technical communication...

The last point is that this vulnerability does not work for versions 7.0 or earlier, and does not seem to work for Versions later than x1. In addition, there are some vulnerabilities in versions 7.0, 7.1, and 7.2, however, it has been quietly completed in x1. x1 is not detailed, but it is quite safe (maybe not absolute )... digress...

Solution:

Upgrade in time