Discuz! 7.1 & 7.2 back office remote code execution vulnerabilities and fixes-vulnerability warning-the black bar safety net

ID MYHACK58:62201028154
Type myhack58
Reporter 佚名
Modified 2010-10-21T00:00:00


Beginning with the reception code is executed together with the see, this clear the code execution, see the estimates also a lot of good adhere to for so long has no one posted this half a year also used a lot of times, but...but eventually someone couldn't resist to publish, you know, published a little one, later after you rely on what to take the stand?

This background also count on was that the front Desk Executive lost the comfort...someway also surviving most of the year, How do you say are still a little comforting...don't know the invasion t00ls server not, is not, unfortunately, t00ls the background at the beginning has been to fill this loophole?

Actually is a old problem, I also do not do too much explanation, you tell me what something right then digging x1 now, once the 6. Of 0, 7.0, and 7.1 and 7.2 are digging the light, encounter the dz or bypass it...

Well, look at the code, The include/global.func.php to:

function sendpm($toid, $subject, $message, $fromid = ") { if($fromid === ") { require_once DISCUZ_ROOT.'./ uc_client/client.php'; $fromid = $discuz_uid; } if($fromid) { uc_pm_send($fromid, $toid, $subject, $message); } else { global $promptkeys; if(in_array($subject, $promptkeys)) { $type = $subject; } else { extract($GLOBALS, EXTR_SKIP); require_once DISCUZ_ROOT.'./ include/discuzcode.func.php'; eval("\$message = addslashes(\"".$ message."\");");// Here, old problem $type = 'systempm'; $message = '<div> '.$ the subject.' {time} '. discuzcode($message, 1, 0).' </div>

'; } sendnotice($toid, $message, $type); } } You want to use, it must be the third parameter:$message can be controlled.

The use of method one:

Front Desk at the time of registration to use this function:

... if($welcomemsg && ! empty($welcomemsgtxt)) { $welcomtitle = ! empty($welcomemsgtitle) ? $welcomemsgtitle : "Welcome to $bbname!"; $welcomtitle = addslashes(replacesitevar($welcomtitle)); $welcomemsgtxt = addslashes(replacesitevar($welcomemsgtxt)); if($welcomemsg == 1) { sendpm($uid, $welcomtitle, $welcomemsgtxt, 0);//send the forum short message, the third parameter in the background is controlled from www.oldjun.com } elseif($welcomemsg == 2) { sendmail("$username <$email>", $welcomtitle, $welcomemsgtxt); } } ... Thus, as long as the background control register sends a short message, you can successfully exploit the vulnerability.

During the registration, send a short message content Riga: {${phpinfo ()}}, you can perform, if you want to exp, modify the beginning of that that is...

Use method two:

The background member. inc. php can directly control the$message:

... if(in_array($sendvia, array('pm', 'email'))) { $query = $db->query("SELECT uid, username, groupid, email FROM {$tablepre}members WHERE $conditions LIMIT $current, $pertask"); while($member = $db->fetch_array($query)) { $sendvia == 'pm' ? sendpm($member['uid'], $subject, $message, 0) : sendmail("$member[username] <$member[email]>", $subject, $message); $continue = TRUE; } } ... Modify the following forms can be...

As for the exp, I'm not made, issued to or in the spirit of technical exchange...

Lastly, this vulnerability 7. 0 and the previous version is invalid, the x1 later version seems to also be invalid; in addition, 7.0, and 7.1 and 7.2 somewhere a little vulnerability, but in the x1 it's already crept up, the x1 didn't take a closer look, but already quite secure, perhaps not absolute...digression...

Repair solutions:

Or time to upgrade.