6 matches found
DiscuzX1. 5+ prop of the brush sub-vulnerability-vulnerability warning-the black bar safety net
If the user group set up"to purchase items a discount"option to buy when the price is discounted price, and sell when the price is not discounted price. That is the time to buy discount, sell when it is the original price. Buy: $magic'discountprice' = $G'group''magicsdiscount' ? intval$magic'pric...
DiscuzX1.5+ 道具刷分漏洞
简要描述: 如果用户组设置了"购买道具折扣"选项,买入时的价格是打折后的价格,卖出时的价格是未打折的价格。 也就是买的时候打折了,卖的时候是原价。 详细说明: 漏洞证明: 买入: $magic'discountprice' = $G'group''magicsdiscount' ? intval$magic'price' $G'group''magicsdiscount' / 10 : intval$magic'price'; $totalprice = $magic'discountprice' $magicnum; 卖出: $discountprice =...
DiscuzX1.5 门户管理权限SQL注入漏洞
source\include\portalcp\portalcparticle.php //90行 if$G''gpconver'' $converfiles = unserializestripcslashes$G''gpconver''; $setarr''pic'' = $converfiles''pic''; $setarr''thumb'' = $converfiles''thumb''; $setarr''remote'' = $converfiles''remote''; 可以看出变量 $converfiles 没有 addcslashes。 $aid =...
DiscuzX1.5 门户管理权限SQL注入漏洞
简要描述: DiscuzX1.5 门户管理权限SQL注入漏洞 详细说明: DiscuzX1.5 门户管理权限SQL注入漏洞 详细说明: source\include\portalcp\portalcparticle.php //90行 if$G'gpconver' $converfiles = unserializestripcslashes$G'gpconver'; $setarr'pic' = $converfiles'pic'; $setarr'thumb' = $converfiles'thumb'; $setarr'remote' = $converfiles'remote';...
DiscuzX1.5 有权限SQL注入BUG
简要描述: DiscuzX1.5 有权限SQL注入BUG 详细说明: source\include\portalcp\portalcparticle.php //90行 if$G'gpconver' $converfiles = unserializestripcslashes$G'gpconver'; $setarr'pic' = $converfiles'pic'; $setarr'thumb' = $converfiles'thumb'; $setarr'remote' = $converfiles'remote'; 可以看出变量 $converfiles 没有...
DISCUZX1.5 本地文件包含漏洞
简要描述: DISCUZX1.5 本地文件包含 详细说明: DISCUZX1.5 本地文件包含,当然是有条件的,就是使用文件作为缓存。 configglobal.php $config'cache''type' = 'file'; function cachedata$cachenames ...... $isfilecache = getglobal'config/cache/type' == 'file'; ...... if$isfilecache $lostcaches = array; foreach$cachenames as $cachename...