Discuz! moderation.inc.php 数据库'注射' bug
由于Discuz!d的include/moderation.inc.php存在一个'二次攻击'导致数据库'注射'的bug<BR>author: 80vul-B<BR>一 分析<BR><BR>在文件include/moderation.inc.php里代码:<DIV class=code>$threadlist = $loglist = array();<BR>if($tids = implodeids($moderate)) {<BR>$query = $db->query("SELECT * FROM {$tablepre}threads WHERE tid IN ($tids) AND fid='$fid' AND displayorder>='0' AND digest>='0' LIMIT $tpp");<BR>while($thread = $db->fetch_array($query)) {<BR>...<BR>$threadlist[$thread['tid']] = $thread;<BR>...<BR>foreach($threadlist as $tid => $thread) {<BR>...<BR>if($type == 'redirect') {<BR>$db->query("INSERT INTO {$tablepre}threads (fid, readperm, iconid, author, authorid, subject, dateline, lastpost, lastposter, views, replies, displayorder, digest, closed, special, attachment)<BR>VALUES ('$thread', '$thread', '$thread', '".addslashes($thread['author'])."', '$thread', '".addslashes($thread['subject'])."', '$thread', '$thread', '$thread', '0', '0', '0', '0', '$thread', '0', '0')");</DIV>
<P><BR>这个比较明显,从数据库查询出的值$thread直接带入了insert语句中,导致了注射:)<BR>这个看上去比上面的那个用处大些,其实有很多的限制.首先$thread是从数据库中查询出来的值,有字数限制[不能大于15个字符];其次,这个地方需要版主权限才能操作.<BR><BR>二 利用<BR><BR>注册新用户,用户名为80vul',发表新回复,然后用拥有版主权限的账号将此帖转移,移动方式选为[移动主题并在原来的版块中保留转向],和上面的效果一样,执行时数据库报错了:)<BR><BR>三 补丁<BR>等待官方补丁.</P>
re:Discuz! moderation.inc.php 数据库'注射' bug
<P>哈哈哈哈,红基是才换没几个月时间的,哈哈哈哈</P><P>你这我是才来的.我当然不知道啦,不好意思.</P>
页:
[1]