Discuz! NT 2.x-3.5.2 SQL injection (0 day) and official patch

Author: Jannock

Affected Version: Discuz! NT 2.x-3.5.2
Http://www.discuz.net

Vulnerability Type: SQL Injection
Vulnerability Description: Discuz! NT is a powerful community software under Comsenz. It is based on the ASP. NET platform.
Vulnerability Analysis: ajaxtopicinfo. ascx poster SQL Injection Vulnerability
Arbitrary User Control calling vulnerability combined with ajax. aspx
In the admin/UserControls/ajaxtopicinfo. ascx File
 

Go to the GetCondition function (WebsiteManage. cs) // 62 rows if (posterlist! = "") {String [] poster = posterlist. split (,); condition + = "AND [poster] in ("; string tempposerlist = ""; foreach (string p in poster) {tempposerlist + = "" + p + "," ;}if (tempposerlist! = "") Tempposerlisttempposerlist = tempposerlist. Substring (0, tempposerlist. Length-1); condition + = tempposerlist + ")";}
Posterlist variables are not filtered and are directly queried by SQL statements, resulting in SQL injection.

Test method:
Http://www.bkjia.com/admin/ajax.aspx? AjaxTemplate = ajaxtopicinfo. ascx & poster = 1)
String) AND [tid]> = 1 AND [tid] <= 1.

The error message is hidden, but the SQL statement is executed.

Official patch:
Html> http://nt.discuz.net/showtopic-135589.html