Discuz! 6. x/7. x a global variable Defense bypass lead to command execution-vulnerability warning-the black bar safety net

2014-11-27T00:00:00
ID MYHACK58:62201456293
Type myhack58
Reporter 佚名
Modified 2014-11-27T00:00:00

Description

Vulnerability overview:

Due to php5. 3. x version php. ini settings request_order the default value for the GP, resulting in Discuz! 6. x/7. x a global variable Defense bypass vulnerability.

Vulnerability analysis:

|

1

2

3

4

5

6

7

8

9

1 0

1 1

1 2

1 3

1 4

1 5

1 6

1 7

1 8

1 9

2 0

|

include/global. func. php code:

function daddslashes($string, $force = 0) {

! defined('MAGIC_QUOTES_GPC') && define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());

if(! MAGIC_QUOTES_GPC || $force) {

if(is_array($string)) {

foreach($string as $key => $val) {

$string[$key] = daddslashes($val, $force);

}

} else {

$string = addslashes($string);

}

}

return $string;

}

include/common. inc. php:

foreach(array('_COOKIE', '_POST', '_GET') as $_request) {

foreach($$_request as $ _ key => $_value) {

$ _ Key{0} != '_' && $$ _ key = daddslashes($_value);

}

}

---|---

Simulate the register_globals functionality of the code,in GPC is off will call the addslashes()function the process variable value,but if the direct use of$_GET/$_POST/$_COOKIE such a variable,this will have no effect,however, the dz of the source code directly using the$_GET/$_POST/$_COOKIE,rarely, the presence of vulnerability somewhere even less:(

However, there are other bypass methods,in register_globals=on under the by submitting the GLOBALS variables, you can bypass the above code. In order to prevent this situation,the dz has the following code:

1

2

3

|

if (isset($_REQUEST['GLOBALS']) OR isset($_FILES['GLOBALS'])) {

exit('Request tainting attempted.');

}

---|---

So you can't submit the GLOBALS variables?

$_REQUEST Super-global variable values by php. ini request_order the impact,in the latest php5. 3. x Series,request_order the default value of GP,that is the default configuration,$_REQUEST only contains$_GET and$_POST,which does not include$_COOKIE,then we can through the COOKIE to submit the GLOBALS variables:)

! t01ed417d66a604a301.jpg

Exploit

include/discuzcode.func.php

1

2

3

4

5

6

7

8

9

1 0

1 1

1 2

1 3

1 4

1 5

1 6

1 7

1 8

1 9

2 0

2 1

2 2

2 3

2 4

2 5

2 6

2 7

|

function discuzcode($message, $smileyoff, $bbcodeoff, $htmlon = 0, $allowsmilies = 1, $allowbbcode = 1, $allowimgcode =

1, $allowhtml = 0, $jammer = 0, $parsetype = '0', $authorid = '0', $allowmediacode = '0', $pid = 0) {

global $discuzcodes, $credits, $tid, $discuz_uid, $highlight, $maxsmilies, $db, $tablepre, $hideattach, $allowat

tachurl;

if($parsetype != 1 && !$ bbcodeoff && $allowbbcode && (strpos($message, '[/code]') || strpos($message, '[/code]')

) !== FALSE) {

$message = preg_replace("/\s?\ code\\ [\/code\]\s?/ ies", "codedisp('\\1')", $message);

}

$msglower = via strtolower($message);

//$htmlon = $htmlon && $allowhtml ? 1 : 0;

if(!$ htmlon) {

$message = $jammer ? preg_replace("/\r\n|\n|\r/e", "jammer()", dhtmlspecialchars($message)) : dhtmlspeci

alchars($message);

}

if(!$ smileyoff && $allowsmilies && ! empty($GLOBALS['_DCACHE']['smilies']) && is_array($GLOBALS['_DCACHE']['smili

es'])) {

if(!$ discuzcodes['smiliesreplaced']) {

foreach($GLOBALS['_DCACHE']['smilies']['replacearray'] AS $key => $smiley) {

$GLOBALS['_DCACHE']['smilies']['replacearray'][$key] = '<img src="images/smilies/'.$ GLOB

ALS['_DCACHE']['smileytypes'][$GLOBALS['_DCACHE']['smilies']['typearray'][$key]]['directory'].'/'.$ smiley.'" smilieid="'

.$ key.'" border="0" alt="" />';

}

$discuzcodes['smiliesreplaced'] = 1;

}

$message = preg_replace($GLOBALS['_DCACHE']['smilies']['searcharray'], $GLOBALS['_DCACHE']['smilies']['r

eplacearray'], $message, $maxsmilies);

}

---|---

[1] [2] next