Discuz! NT 2. x – 3.5.2 user control poster SQL injection vulnerability-vulnerability warning-the black bar safety net

2011-06-18T00:00:00
ID MYHACK58:62201130921
Type myhack58
Reporter 佚名
Modified 2011-06-18T00:00:00

Description

ajaxtopicinfo. ascx user control poster SQL injectionvulnerability

Combined with ajax. aspx call any user control vulnerability

In the file admin/UserControls/ ajaxtopicinfo. ascx in

Go to the function GetCondition (WebsiteManage. cs) //6 2 rows if (posterlist != “”) { string[] poster = posterlist. Split(‘,’); condition = ” AND [poster] in (“; string tempposerlist = “”; foreach (string p in the poster) { tempposerlist = “‘” p “‘,”; } if (tempposerlist != “”) tempposerlisttempposerlist = tempposerlist. Substring(0, tempposerlist. Length – 1); condition = tempposerlist “)”; }

posterlist variable is not filtered directly into the SQL statement of the query, resulting inSQL injection

Test method:

http://localhost:25594/admin/ajax.aspx?AjaxTemplate=ajaxtopicinfo.ascx&poster=1')

String ‘) AND [tid]>=1 AND [tid]<=1' After the quotation mark are not complete.

Since the error message is hidden, but the SQL statement will be executed.