Discuz 5.x/ 6.x/ 7.x SQL Injection Analysis

Discuz 5.x/ 6.x/ 7.x SQL Injection Analysis

It seems that someone has cracked this vulnerability. It should be the vulnerability in editpost. inc. php. Because dz has confirmed that it will not fix vulnerabilities earlier than 7.x, paste the details directly.

The problem lies in editpost. inc. in line 1 of php, The polloption array submitted by the user is directly parsed into an SQL statement, because by default, only the array value is filtered, instead of the filter key, resulting in a DELETE injection.

$ Pollarray ['options'] = $ polloption; if ($ pollarray ['options']) {if (count ($ pollarray ['options'])> $ maxpolloptions) {showmessage ('Post _ poll_option_too=');} foreach ($ pollarray ['options'] as $ key => $ value) {// The $ keyif (! Trim ($ value) {$ db-> query ("delete from {$ tablepre} polloptions WHERE polloptionid = '$ key' AND tid =' $ tid '"); unset ($ pollarray ['options'] [$ key]);}

Usage:

Use the registered account to publish a voting post and click "edit", as shown in figure

 

Then use burp to intercept the request, click "Edit Post", and modify polloption as the injection statement:

 

Because the Code determines that trim ($ value) is null to execute the following statement, Fan Bingbing must be deleted.

The returned results have been successfully injected: