The MyBB unset_globals () function is bypassed, causing remote code execution and analysis.

Source: Internet
Author: User

The MyBB unset_globals () function is bypassed, causing remote code execution and analysis.

Yesterday, we saw a remote code execution vulnerability in exploit-db. The analysis was very detailed. Unfortunately, it was written in English. Here is a simple translation.

When register_globals = On, MyBB calls the unset_globals () function to implement register_globals = Off.
 

if(@ini_get("register_globals") == 1)        {            $this->unset_globals($_POST);            $this->unset_globals($_GET);            $this->unset_globals($_FILES);            $this->unset_globals($_COOKIE);        }        ...    }    ...    function unset_globals($array)    {        if(!is_array($array))        {            return;        }         foreach(array_keys($array) as $key)        {            unset($GLOBALS[$key]);            unset($GLOBALS[$key]); // Double unset to circumvent the zend_hash_del_key_or_index hole in PHP <4.4.3 and <5.1.4        }    }

When we submit foo. php? _ COOKIE = 1 that is, when $ _ GET ['_ cookies'] = 1, unset_globals () will destroy $ GLOBALS [' _ cookies'], this means that the $ _ COOKIE array will also be destroyed. Similarly, submit foo. php? When GLOBALS = 1 is $ _ GET ['globals'] = 1, $ GLOBALS ['globals'] is destroyed, that is, $ GLOBALS.

$ GLOBALS array is an automated hyper-global variable bound to the global variable table. You can use $ GLOBALS ['key'] to access or control a global variable in all the scopes of the script, when you use $ GOBALS ['key'], PHP will directly search for $ key from the global variable table. If you overwrite or cancel $ GOBALS, PHP cannot find $ key, eventually, the unset_globals () function implementing register_globals = Off OF MyBB is bypassed.

MyBB may consider the issue of variable overwrite. There is a code segment in line/inc/class_core.php 134-141:
 

$protected = array("_GET", "_POST", "_SERVER", "_COOKIE", "_FILES", "_ENV", "GLOBALS");foreach($protected as $var){if(isset($_REQUEST[$var]) || isset($_FILES[$var])){   die("Hacking attempt");}}

Note the preceding judgment statement if (isset ($ _ REQUEST [$ var]) | isset ($ _ FILES [$ var]), $ _ REQUEST contains $ _ GET, $ _ POST, and $ _ COOKIE arrays by default. However, request_order is introduced in PHP 5.3.0. This command affects the content of $ _ REQUEST. The default value is request_order = "GP", that is, $ _ REQUEST only processes data submitted in the $ _ GET and $ _ POST methods. Based on this, you can use the $ _ COOKIE method to submit the REQUEST to bypass the isset ($ _ REQUEST [$ var]) restriction. Therefore, when PHP> = 5.3 & register_globals = On, by submitting $ _ COOKIE ['globals'], you can bypass the unset_globals () function and use register_globals = On to register any variable. I will not analyze it later. If you are interested, you can read the original article. Go directly to the graph showing the test is successful.

 

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.