Discuz! NT 2. x - 3.5.2 SQL injection(0day)-vulnerability warning-the black bar safety net

2011-06-24T00:00:00
ID MYHACK58:62201131016
Type myhack58
Reporter 佚名
Modified 2011-06-24T00:00:00

Description

Vulnerability type: SQL injection

Vulnerability description: Discuz! NT is the Kang Sheng Chong think(Comsenz)its a powerful based on ASP.NET platform community software.

Vulnerability analysis: ajaxtopicinfo. ascx user control poster SQL injectionvulnerability

Combined with ajax. aspx call any user control vulnerability

In the file admin/UserControls/ ajaxtopicinfo. ascx in

Function GetCondition (WebsiteManage. cs) //6 2 rows

if (posterlist != "")

{

string[] poster = posterlist. Split(',');

condition += " AND [poster] in (";

string tempposerlist = "";

foreach (string p in the poster)

{

tempposerlist += "'" + p + "',";

}

if (tempposerlist != "")

tempposerlisttempposerlist = tempposerlist. Substring(0, tempposerlist. Length - 1);

condition += tempposerlist + ")";

posterlist variable is not filtered directly into the SQL statement of the query, resulting inSQL injection

Test method:

http://localhost:25594/admin/ajax.aspx?AjaxTemplate=ajaxtopicinfo.ascx&poster=1')

String ') AND [tid]>=1 AND [tid]<=1' After the quotation mark are not complete.

Since the error message is hidden, but the SQL statement will be executed