discuz! 6. x / 7. x global variable defense bypass causes command execution

Posted by lipsius at 2020-03-20

Vulnerability overview:

Because the default value of request [order] in php.ini in php5.3. X is GP, the global variable defense bypass vulnerability in Discuz! 6. X / 7. X is caused.

Vulnerability analysis:

In the code include / global.func.php:

In include /

When GPC is off, addslashes() function will be called to process variable value in code simulating register_globals function. However, if variables such as $_get / $_post / $_cookieare directly used, this will not work. However, there are few places where $_get / $_post / $cookie is directly used in DZ source code, and there are even fewer vulnerabilities(

However, there are other bypass methods. You can bypass the above code by submitting globals variables under register_globals = on. To prevent this, the following code is in DZ:

Is it impossible to submit globals variables?

The value of the super global variable $'u request is affected by the request'order in php.ini. In the latest php5.3. X series, the default value of request'u order is GP, which means that $'u request only contains $'Get and $'u post, not $'u cookie. Then we can submit the globals variable through cookie:)

Loophole utilization


Note: $message = preg_replace ($globals ['\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Globals [﹣ DCache] [smiles] [searcharray] = /. / EUI ; globals [﹣ DCache] [smiles] [replacearray] = phpinfo() ; can execute phpinfo. Globals [﹣ DCache] [smiles] [searcharray] = /. / EUI ; globals [﹣ DCache] [smiles] [replacearray] = Eval ($﹣ post [C])% 3b ; is a one sentence Trojan horse.

After that, the door loopholes are very hidden and not easy to find.

Utilization conditions:

1.discuz 6.x / 7.x

2. The default value of request order is GP

Exp of K8 Throwing Knife:

Reference address:

Discuz! Command execution of two versions of foreground products (no login required)

Author: SP editor

This article is published by the author of security pulse column. Please note: