PPC has fixed Discuz! 7.1 and 7.2 remote execution vulnerabilities. On the afternoon of October 13, January 6, based on Discuz! 7.17.2 vulnerabilities and related attack methods. PHPChina urgently contacted the dz r & D department and released the Discuz-based online version of PHPChina on the afternoon of November 3, January 6 in the shortest time! 7.1 and 7.2 vulnerabilities and related attack methods. PHPChina urgently contacted the dz r & D department and patch the official PHPChina Forum program in the shortest time to ensure the normal use and safe operation of members on the PHPChina Forum. Thank you for your interest and support for PHPChina. we will always adhere to the user-oriented principle to provide you with a safer and more convenient learning and communication environment. The following is an introduction:
First, the vulnerability is transmitted from the core t00ls group. xhming reads the vulnerability first, and then I read it later. all the code is read and executed. on the evening of July 11, more, at the requirement of hackers in the core group, xhming gave a poc, and I gave an exp, which indeed found the same problem. As of, I went offline. only a few people in the t00ls core group knew the exp I gave, but I couldn't think of it. after half a day, exp went off, and it does come from my version yesterday.
It's hard to imagine the speed at which exp is circulated. A has A good relationship with B. A is sent to B. B is A good friend with C. B is sent to C... some people are always unable to bear the temper and leak some wind, so there is a hand. What is the most unbearable is that some SB are sold in the group. I really don't want to say anything. When is it your turn to sell? If you have any questions in the future, you can hide them yourself.
In the morning, the vulnerability tells Saiy that the official DZ patch is coming soon.
Related reading:Kang shengchuangxiang released Discuz! 7.2 Patch 20100110
Note: The $ scriptlang array that causes the vulnerability has been initialized after the plug-in is installed. Therefore, users who have installed the plug-in are not affected.
Vulnerability description:
Discuz! Parameters executed in eval in showmessage functions of new versions 7.1 and 7.2 are not initialized and can be submitted at will.PHPCommand.
Vulnerability Analysis:
Next we will analyze this remote code execution vulnerability. this issue is really serious. you can directly write the shell:
1. the vulnerability comes from the showmessage function:
Copy to ClipboardReference: [www.bkjia.com] function showmessage ($ message, $ url_forward = '', $ extra ='', $ forwardtype = 0 ){
Extract ($ GLOBALS, EXTR_SKIP); // dangerous usage. uninitialized variables can be directly imported into the function, which directly leads to problems. from www.oldjun.com
Global $ hookscriptmessage, $ extrahead, $ discuz_uid, $ discuz_action, $ debuginfo, $ seccode, $ seccodestatus, $ fid, $ tid, $ charset, $ show_message, $ inajax, $ _ DCACHE, $ advlist;
Define ('cache _ FORBIDDEN ', TRUE );
$ Hookscriptmessage = $ show_message = $ message; $ messagehandle = 0;
$ Msgforward = unserialize ($ _ DCACHE ['Settings'] ['msgforward ']);
$ Refreshtime = intval ($ msgforward ['refreshtime']);
$ Refreshtime = empty ($ forwardtype )? $ Refreshtime: ($ refreshtime? $ Refreshtime: 3 );
$ Msgforward ['refreshtime'] = $ refreshtime * 1000;
$ Url_forward = empty ($ url_forward )? '': (Empty ($ _ DCOOKIE ['Sid ']) & $ transsidstatus? Transsid ($ url_forward): $ url_forward );
$ Seccodecheck = $ seccodestatus & 2;
If ($ _ DCACHE ['Settings'] ['functionid'] & $ _ DCACHE ['Settings'] ['functiony'] & $ funcstatinfo &&! IS_ROBOT ){
$ Statlogfile = DISCUZ_ROOT. './forumdata/funcstat. log ';
If ($ fp = @ fopen ($ statlogfile, 'A ')){
@ Flock ($ fp, 2 );
If (is_array ($ funcstatinfo )){
$ Funcstatinfo = array_unique ($ funcstatinfo );
Foreach ($ funcstatinfo as $ funcinfo ){
Fwrite ($ fp, funcstat_query ($ funcinfo, $ message). "\ n ");
}
} Else {
Fwrite ($ fp, funcstat_query ($ funcstatinfo, $ message). "\ n ");
}
Fclose ($ fp );
$ Funcstatinfo = $ GLOBALS ['functionstatinfo'] = '';
}
}
If (! Defined ('stat _ DISABLED ') & STAT_ID> 0 &&! IS_ROBOT ){
Write_statlog ($ message );
}
If ($ url_forward &&(! Empty ($ quickforward) | empty ($ inajax) & $ msgforward ['quick'] & $ msgforward ['messages '] & @ in_array ($ message, $ msgforward ['messages ']) {
Updatesession ();
Dheader ("location:". str_replace ('&', '&', $ url_forward ));
}
If (! Empty ($ infloat )){
If ($ extra ){
$ Messagehandle = $ extra;
}
$ Extra = '';
}
If (in_array ($ extra, array ('halted', 'noperm '))){
$ Discuz_action = 254;
} Else {
$ Discuz_action = 255;
}
Include language ('messages ');
$ Vars = explode (':', $ message); // you only need to include:
If (count ($ vars) = 2 & isset ($ scriptlang [$ vars [0] [$ vars [1]) {// two numbers, separated:
Eval ("\ $ show_message = \"". str_replace ('"', '\"', $ scriptlang [$ vars [0] [$ vars [1]). "\"; "); // $ scriptlang is not initialized and can be customized, from www.oldjun.com
} Elseif (isset ($ language [$ message]) {
$ Pre = $ inajax? 'Ajax _':'';
Eval ("\ $ show_message = \" ". (isset ($ language [$ pre. $ message])? $ Language [$ pre. $ message]: $ language [$ message]). "\"; ");
Unset ($ pre );
}
......
}
- 2 pages in total:
- Previous Page
- 1
- 2
- Next page
In April January 6, the network was based on Discuz! 7.17.2 vulnerabilities and related attack methods. PHPChina urgently contacted the dz r & D department and was the PHPChina official in the shortest time...
