Discuz! WeChat public Platform Plug-in patches bypass unauthorized deletion of databases

Discuz! Public Platform Plug-in patches bypass unauthorized deletion of databases

Discuz! The public Platform Plug-in patches can bypass unauthorized database deletion and bypass Baidu cloud waf.

 

The previous vulnerability was published by getshell. As a result, the plug-in responded quickly. Today, we installed a patch, so we have to say that dz is awesome.



Are you sure you want to fix it:



Look at the code again:

if (!strpos($_GET['mod'],'/') && !strpos($_GET['mod'],'\\') && !strpos($_GET['ac'],'/') && !strpos($_GET['ac'],'\\')) {include DISCUZ_ROOT.'./source/plugin/hux_wx/mod/'.$_GET['mod'].'/'.$_GET['ac'].'.php';}

This is the repaired code, and the backslash and forward slash are filtered out.



1. $ _ GET ['mod'] = '..' Bypass



2. $ _ GET ['ac'] = "uninstall"; bypass



The final result of this sentence is the execution of hux_wx/uninstall. php



Let's take a look at this file.

<?phpif(!defined('IN_DISCUZ')) {exit('Access Denied');}$sql = <<<EOFDROP TABLE IF EXISTS pre_hux_wx;DROP TABLE IF EXISTS pre_hux_wx_action;DROP TABLE IF EXISTS pre_hux_wx_config;DROP TABLE IF EXISTS pre_hux_wx_userjp;EOF;runquery($sql);$finish = TRUE;?></code>

Did you see it? It's just if (! Defined ('in _ discuz ')){

Exit ('Access Denied ');

}



This is obviously accessible to any user.



After the OK code analysis is complete, you don't need to do the demonstration. Otherwise, you can try it on the plug-in center homepage. This can bypass Baidu cloud waf, haha

  Solution:

Filter