Discuz某版本SQL注射漏洞

只测试了6.x

貌似7.x就修复了
my.php (600) :
[php]
} elseif($item == 'buddylist') {
if(!submitcheck('buddysubmit', 1)) {
$buddylist = array();
$query = $db->query("SELECT b.*, m.username FROM {$tablepre}buddys b, {$tablepre}members m
WHERE b.uid='$discuz_uid' AND m.uid=b.buddyid ORDER BY dateline DESC");
while($buddy = $db->fetch_array($query)) {
$buddy['dateline'] = gmdate("$dateformat $timeformat", $buddy['dateline'] + $timeoffset * 3600);
$buddylist[] = $buddy;
}
} else {
$buddyarray = array();
$query = $db->query("SELECT * FROM {$tablepre}buddys WHERE uid='$discuz_uid'");
while($buddy = $db->fetch_array($query)) {
$buddyarray[$buddy['buddyid']] = $buddy;
}
if(!empty($delete) && is_array($delete)) {
$db->query("DELETE FROM {$tablepre}buddys WHERE uid='$discuz_uid' AND buddyid IN ('".implode('\',\'', $delete)."')");
}
if(is_array($descriptionnew)) {
foreach($descriptionnew as $buddyid => $desc) { //无过滤
if(($desc = cutstr(dhtmlspecialchars($desc), 255)) != addslashes($buddyarray[$buddyid]['description'])) {
$db->query("UPDATE {$tablepre}buddys SET description='$desc' WHERE uid='$discuz_uid' AND buddyid='$buddyid'"); //数组key值$buddyid直接带入
}
}
}
[/php]
上exp了、
[php]



[/php]
dz

发表评论