The MyBB unset_globals () function is bypassed, causing remote code execution and analysis.

The MyBB unset_globals () function is bypassed, causing remote code execution and analysis.

Yesterday, we saw a remote code execution vulnerability in exploit-db. The analysis was very detailed. Unfortunately, it was written in English. Here is a simple translation.

When register_globals = On, MyBB calls the unset_globals () function to implement register_globals = Off.
 

if(@ini_get("register_globals") == 1)        {            $this->unset_globals($_POST);            $this->unset_globals($_GET);            $this->unset_globals($_FILES);            $this->unset_globals($_COOKIE);        }        ...    }    ...    function unset_globals($array)    {        if(!is_array($array))        {            return;        }         foreach(array_keys($array) as $key)        {            unset($GLOBALS[$key]);            unset($GLOBALS[$key]); // Double unset to circumvent the zend_hash_del_key_or_index hole in PHP <4.4.3 and <5.1.4        }    }

When we submit foo. php? _ COOKIE = 1 that is, when $ _ GET ['_ cookies'] = 1, unset_globals () will destroy $ GLOBALS [' _ cookies'], this means that the $ _ COOKIE array will also be destroyed. Similarly, submit foo. php? When GLOBALS = 1 is $ _ GET ['globals'] = 1, $ GLOBALS ['globals'] is destroyed, that is, $ GLOBALS.

$ GLOBALS array is an automated hyper-global variable bound to the global variable table. You can use $ GLOBALS ['key'] to access or control a global variable in all the scopes of the script, when you use $ GOBALS ['key'], PHP will directly search for $ key from the global variable table. If you overwrite or cancel $ GOBALS, PHP cannot find $ key, eventually, the unset_globals () function implementing register_globals = Off OF MyBB is bypassed.

MyBB may consider the issue of variable overwrite. There is a code segment in line/inc/class_core.php 134-141:
 

$protected = array("_GET", "_POST", "_SERVER", "_COOKIE", "_FILES", "_ENV", "GLOBALS");foreach($protected as $var){if(isset($_REQUEST[$var]) || isset($_FILES[$var])){   die("Hacking attempt");}}

Note the preceding judgment statement if (isset ($ _ REQUEST [$ var]) | isset ($ _ FILES [$ var]), $ _ REQUEST contains $ _ GET, $ _ POST, and $ _ COOKIE arrays by default. However, request_order is introduced in PHP 5.3.0. This command affects the content of $ _ REQUEST. The default value is request_order = "GP", that is, $ _ REQUEST only processes data submitted in the $ _ GET and $ _ POST methods. Based on this, you can use the $ _ COOKIE method to submit the REQUEST to bypass the isset ($ _ REQUEST [$ var]) restriction. Therefore, when PHP> = 5.3 & register_globals = On, by submitting $ _ COOKIE ['globals'], you can bypass the unset_globals () function and use register_globals = On to register any variable. I will not analyze it later. If you are interested, you can read the original article. Go directly to the graph showing the test is successful.