Discuz! 7.1 & amp; 7.2 execute remote code

Analyze the remote code execution vulnerability. The problem is really serious. You can directly write the shell:

The vulnerability comes from the showmessage function:

Function showmessage ($ message, $ url_forward =, $ extra =, $ forwardtype = 0 ){
Extract ($ GLOBALS, EXTR_SKIP); // dangerous usage. uninitialized variables can be directly imported into the function, which directly leads to problems. from www.oldjun.com
Global $ hookscriptmessage, $ extrahead, $ discuz_uid, $ discuz_action, $ debuginfo, $ seccode, $ seccodestatus, $ fid, $ tid, $ charset, $ show_message, $ inajax, $ _ DCACHE, $ advlist;
Define (CACHE_FORBIDDEN, TRUE );
$ Hookscriptmessage = $ show_message = $ message; $ messagehandle = 0;
$ Msgforward = unserialize ($ _ DCACHE [settings] [msgforward]);
$ Refreshtime = intval ($ msgforward [refreshtime]);
$ Refreshtime = empty ($ forwardtype )? $ Refreshtime: ($ refreshtime? $ Refreshtime: 3 );
$ Msgforward [refreshtime] = $ refreshtime * 1000;
$ Url_forward = empty ($ url_forward )? : (Empty ($ _ DCOOKIE [sid]) & $ transsidstatus? Transsid ($ url_forward): $ url_forward );
$ Seccodecheck = $ seccodestatus & 2;
If ($ _ DCACHE [settings] [funcsiteid] & $ _ DCACHE [settings] [funckey] & $ funcstatinfo &&! IS_ROBOT ){
$ Statlogfile = DISCUZ_ROOT ../forumdata/funcstat. log;
If ($ fp = @ fopen ($ statlogfile, )){
@ Flock ($ fp, 2 );
If (is_array ($ funcstatinfo )){
$ Funcstatinfo = array_unique ($ funcstatinfo );
Foreach ($ funcstatinfo as $ funcinfo ){
Fwrite ($ fp, funcstat_query ($ funcinfo, $ message )."");
}
} Else {
Fwrite ($ fp, funcstat_query ($ funcstatinfo, $ message )."");
}
Fclose ($ fp );
$ Funcstatinfo = $ GLOBALS [funcstatinfo] =;
}
}

If (! Defined (STAT_DISABLED) & STAT_ID> 0 &&! IS_ROBOT ){
Write_statlog ($ message );
}

If ($ url_forward &&(! Empty ($ quickforward) | empty ($ inajax) & $ msgforward [quick] & $ msgforward [messages] & @ in_array ($ message, $ msgforward [messages]) {
Updatesession ();
Dheader ("location:". str_replace (& amp;, &, $ url_forward ));
}
If (! Empty ($ infloat )){
If ($ extra ){
$ Messagehandle = $ extra;
}
$ Extra =;
}
If (in_array ($ extra, array (HALTED, NOPERM ))){
$ Discuz_action = 254;
} Else {
$ Discuz_action = 255;
}

Include language (messages );

$ Vars = explode (:, $ message); // you only need to include:
If (count ($ vars) = 2 & isset ($ scriptlang [$ vars [0] [$ vars [1]) {// two numbers, separated:
Eval ("$ show_message = "". str_replace (",", $ scriptlang [$ vars [0] [$ vars [1]). ""; "); // $ scriptlang is not initialized and can be customized, from www.oldjun.com
} Elseif (isset ($ language [$ message]) {
$ Pre = $ inajax? Ajax _:;
Eval ("$ show_message =" ". (isset ($ language [$ pre. $ message])? $ Language [$ pre. $ message]: $ language [$ message]). ""; ");
Unset ($ pre );
}

......
}
Because of the global mechanism of DZ, uninitialized parameters can be submitted at will:

Foreach (array (_ COOKIE, _ POST, _ GET) as $ _ request ){
Foreach ($ _ request as $ _ key => $ _ value ){
$ _ Key {0 }! = _ & $ _ Key = daddslashes ($ _ value );
}
}
Misc. php exactly has a point where you can customize the message. In fact, it is not initialized:

Elseif ($ action = imme_binding & $ discuz_uid ){

If (isemail ($ id )){
$ Msn = $ db-> result_first ("SELECT msn FROM {$ tablepre} memberfields WHERE uid = $ discuz_uid ");
$ Msn = explode ("", $ msn );
$ Id = dhtmlspecialchars (substr ($ id, 0, strpos ($ id ,@)));
$ Msn = "$ msn [0] $ id ";
$ Db-> query ("UPDATE {$ tablepre} memberfields SET msn = $ msn WHERE uid = $ discuz_uid ");
Showmessage (msn_binding_succeed, memcp. php );
} Else {
If ($ result = Declined ){
Dheader ("Location: memcp. php ");
} Else {
Showmessage ($ response [result]); // $ response is not initialized and can be customized, from www.oldjun.com

}
}

}
Vulnerability exploitation:

In the showmessage function, $ vars = explode (:, $ message); then the message can be controlled by itself, so it is easy. The parameters are two custom arrays.