DZ7.1 and 7.2 0 Remote Code Execution Vulnerability acquisition Webshell (1)

Bkjia.com exclusive Article] Crossday Discuz! Board forum system Discuz! Is an efficient forum solution built using PHP, MySQL, and other types of databases. As a commercial software product, Discuz! It has a good reputation in terms of code quality, operation efficiency, load capacity, security level, functional controllability, and permission rigor. For webmasters, use Discuz! All of them are able to build a community forum platform with excellent performance, comprehensive functions, security and stability at the lowest cost in the shortest time and with the least manpower. It can run on Windows and Linux platforms. Currently, it has more than 1 million users. Before this article, Discuz! It is also difficult to obtain webshells because of vulnerabilities in the forum. This vulnerability can be easily obtained by registered users. In Discuz! In versions 7.1 and 7.2, the showmessage function can be submitted at will because the parameters executed in eval are not initialized, so that any PHP command can be executed. This vulnerability was first launched by the core T00ls team. The remote code execution vulnerability is analyzed below. This problem is really serious and can be directly written into shell.

1. The vulnerability comes from the showmessage function.
Function showmessage ($ message, $ url_forward = '', $ extra ='', $ forwardtype = 0 ){
Extract ($ GLOBALS, EXTR_SKIP); // dangerous usage. uninitialized variables can be directly imported into the function, which directly leads to problems. from www.oldjun.com
Global $ hookscriptmessage, $ extrahead, $ discuz_uid, $ discuz_action, $ debuginfo, $ seccode, $ seccodestatus, $ fid, $ tid, $ charset, $ show_message, $ inajax, $ _ DCACHE, $ advlist;

Define ('cache _ FORBIDDEN ', TRUE ); $ Hookscriptmessage = $ show_message = $ message; $ messagehandle = 0; $ Msgforward = unserialize ($ _ DCACHE ['settings'] ['msgforward ']); $ Refreshtime = intval ($ msgforward ['refreshtime']); $ Refreshtime = empty ($ forwardtype )? $ Refreshtime: ($ refreshtime? $ Refreshtime: 3 ); $ Msgforward ['refreshtime'] = $ refreshtime * 1000; $ Url_forward = empty ($ url_forward )? '': (Empty ($ _ DCOOKIE ['sid ']) & $ transsidstatus? Transsid ($ url_forward): $ url_forward ); $ Seccodecheck = $ seccodestatus & 2; If ($ _ DCACHE ['settings'] ['functionid'] & $ _ DCACHE ['settings'] ['functiony'] & $ funcstatinfo &&! IS_ROBOT ){ $ Statlogfile = DISCUZ_ROOT. './forumdata/funcstat. log '; If ($ fp = @ fopen ($ statlogfile, 'A ')){ @ Flock ($ fp, 2 ); If (is_array ($ funcstatinfo )){ $ Funcstatinfo = array_unique ($ funcstatinfo ); Foreach ($ funcstatinfo as $ funcinfo ){ Fwrite ($ fp, funcstat_query ($ funcinfo, $ message). "\ n "); } } Else { Fwrite ($ fp, funcstat_query ($ funcstatinfo, $ message). "\ n "); } Fclose ($ fp ); $ Funcstatinfo = $ GLOBALS ['functionstatinfo'] = ''; } }  If (! Defined ('stat _ DISABLED ') & STAT_ID> 0 &&! IS_ROBOT ){ Write_statlog ($ message ); }  If ($ url_forward &&(! Empty ($ quickforward) | empty ($ inajax) & $ msgforward ['quick'] & $ msgforward ['messages '] & @ in_array ($ message, $ msgforward ['messages ']) { Updatesession (); Dheader ("location:". str_replace ('&', '&', $ url_forward )); } If (! Empty ($ infloat )){ If ($ extra ){ $ Messagehandle = $ extra; } $ Extra = ''; } If (in_array ($ extra, array ('halted', 'noperm '))){ $ Discuz_action = 254; } Else { $ Discuz_action = 255; } Include language ('messages '); $ Vars = explode (':', $ message );//You only need to include: If (count ($ vars) = 2 & isset ($ scriptlang [$ vars [0] [$ vars [1]) {//Use the following two numbers to separate them. Eval ("\ $ show_message = \"". str_replace ('"', '\"', $ scriptlang [$ vars [0] [$ vars [1]). "\"; "); // $ scriptlangNot initialized. It can be customized, from www.oldjun.com } Elseif (isset ($ language [$ message]) { $ Pre = $ inajax? 'Ajax _':''; Eval ("\ $ show_message = \" ". (isset ($ language [$ pre. $ message])? $ Language [$ pre. $ message]: $ language [$ message]). "\"; "); Unset ($ pre ); } ......}