Discuz! NT 2.* -3.5.2 SQL injection vulnerability 0day-vulnerability warning-the black bar safety net

2011-04-29T00:00:00
ID MYHACK58:62201130251
Type myhack58
Reporter 佚名
Modified 2011-04-29T00:00:00

Description

|

Vulnerability description: Discuz! NT is the Kang Sheng Chong think(Comsenz)its a powerful based on ASP.NET platform community software. ajaxtopicinfo. ascx user control poster SQL injectionvulnerabilities. Combined with ajax. aspx call any user control vulnerability

Vulnerability file: admin/UserControls/ ajaxtopicinfo. ascx

File code: due to the posterlist variable is not filtered directly into the SQL statement of the query, resulting inSQL injection.

Function GetCondition (WebsiteManage. cs) //6 2 rows

if (posterlist != "")

{

string[] poster = posterlist. Split(',');

condition += " AND [poster] in (";

string tempposerlist = "";

foreach (string p in the poster)

{

tempposerlist += "'" + p + "',";

}

if (tempposerlist != "")

tempposerlisttempposerlist = tempposerlist. Substring(0, tempposerlist. Length - 1);

condition += tempposerlist + ")";

Vulnerability test:

http://localhost:25594/admin/ajax.aspx?AjaxTemplate=ajaxtopicinfo.ascx&poster=1'

)The string ') AND [tid]>=1 AND [tid]<=1' After the quotation mark are not complete. Since the error message is hidden, but the SQL statement will be executed.

Vulnerability fix: official patch<http://nt.discuz.net/showtopic-135589.html>