PPC has solved the Discuz!7.1 and 7.2 remote execution vulnerability_PHP tutorial

On the afternoon of January 6th, online release based on Discuz! 7.1&7.2 vulnerabilities and related attack methods. In response to this, PHPChina urgently contacted the DZ R&D department and made relevant patches for the PHPChina official forum program in the shortest possible time to ensure the normal use and safe operation of members in the PHPChina forum. Thank you for your concern and support for PHPChina. We will always adhere to the user-oriented principle and provide you with a safer and more convenient learning and communication environment. The following is the relevant introduction:

First of all, the vulnerability was transmitted from the t00ls core group. xhming read it first, and then I read it later. What was read was code execution. At 11 on the night of January 5 At around 1 o'clock, at the request of the core group of hackers, xhming gave me a POC and I gave me an exp. They found the same problem. As of around 2 o'clock in the night, I was offline. Only a few people in the t00ls core group knew the exp I gave, but I never expected that after half a day, the exp would be everywhere, and it was indeed from the version I had yesterday.

It is not difficult to imagine the speed at which exp spreads. A and B have a good relationship, and A sends it to B; B and C are good friends, and B sends it to C... There are always people who can't bear it and leak some rumors. , so everyone got one. The most unbearable thing is that some SBs are hawking in the group; I really don’t want to say anything, when will it be your turn to hawk? People's hearts are not ancient, so if you have any in the future, you should keep it to yourself.

I told Saiy about the vulnerability in the morning, and the official DZ patch will be out soon.

Related reading: Kangsheng Chuangxiang releases Discuz!7.2 patch 20100110

Special note: The $scriptlang array that generates the vulnerability has been initialized after the plug-in is installed, so users who have installed the plug-in are not affected.

Vulnerability introduction:

Discuz! The parameters executed in eval in the showmessage function in the new versions 7.1 and 7.2 are not initialized and can be submitted arbitrarily, so that any PHP command can be executed.

Vulnerability analysis:

Let’s analyze this remote code execution vulnerability. This problem is really serious. You can directly write the shell:

1. The vulnerability comes from the showmessage function:

Copy to ClipboardQuoted content: [www.bkjia.com] function showmessage($message, $url_forward = '', $extra = '', $forwardtype = 0) {
extract($GLOBALS, EXTR_SKIP);//Dangerous usage, uninitialized variables can be brought directly into the function , directly caused the problem, from www.oldjun.com
global $hookscriptmessage, $extrahead, $discuz_uid, $discuz_action, $debuginfo, $seccode, $seccodestatus, $fid, $tid, $charset, $show_message, $inajax, $_DCACHE, $advlist;
define('CACHE_FORBIDDEN', TRUE);
$hookscriptmessage = $show_message = $message;$messagehandle = 0;
$msgforward = unserialize($_DCACHE[' settings']['msgforward']);
$refreshtime = intval($msgforward['refreshtime']);
$refreshtime = empty($forwardtype) ? $refreshtime : ($refreshtime ? $refreshtime : 3 );
$msgforward['refreshtime'] = $refreshtime * 1000;
$url_forward = empty($url_forward) ? '' : (empty($_DCOOKIE['sid']) && $transsidstatus ? transsid( $url_forward) : $url_forward);
$seccodecheck = $seccodestatus & 2;
if($_DCACHE['settings']['funcsiteid'] && $_DCACHE['settings']['funckey'] && $funcstatinfo && !IS_ROBOT) {
$statlogfile = DISCUZ_ROOT.'./forumdata/funcstat.log';
if($fp = @fopen($statlogfile, 'a')) {
@flock ($fp, 2);
if(is_array($funcstatinfo)) {
$funcstatinfo = array_unique($funcstatinfo);
foreach($funcstatinfo as $funcinfo) {
fwrite($fp , funcstat_query($funcinfo, $message)."n");
}
} else {
fwrite($fp, funcstat_query($funcstatinfo, $message)."n");
}
fclose($fp);
$funcstatinfo = $GLOBALS['funcstatinfo'] = '';
}
}

if(!defined('STAT_DISABLED') && STAT_ID > 0 && !IS_ROBOT) {
write_statlog($message);
}

if($url_forward && (!empty($quickforward) || empty($inajax) && $ msgforward['quick'] && $msgforward['messages'] && @in_array($message, $msgforward['messages']))) {
updatesession();
dheader("location: ".str_replace ('&', '&', $url_forward));
}
if(!empty($infloat)) {
if($extra) {
$messagehandle = $extra;
}
$extra = '';
}
if(in_array($extra, array('HALTED', 'NOPERM'))) {
$discuz_action = 254;
} else {
$discuz_action = 255;
}

include language('messages');

$vars = explode(':', $message);// Just include:
if(count($vars) == 2 && isset($scriptlang[$vars[0]][$vars[1]])) {//Two numbers are enough, use :Split
eval("$show_message = "".str_replace('"', '"', $scriptlang[$vars[0]][$vars[1]])."";");// $scriptlang is not initialized and can be customized, from www.oldjun.com
} elseif(isset($language[$message])) {
$pre = $inajax ? 'ajax_' : '';
eval("$show_message = "".(isset($language[$pre.$message]) ? $language[$pre.$message] : $language[$message])."";");
unset($pre);
}

......
}

• Total 2 pages:
• Previous page
• 1
• 2
• Next page

http://www.bkjia.com/PHPjc/364449.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/364449.htmlTechArticleOn the afternoon of January 6, the online release was based on Discuz! 7.17.2 vulnerabilities and related attack methods. In response to this, PHPChina urgently contacted the DZ R&D department and provided PHPChina official...