Discuz! moderation.inc.php 數據庫'注射' bug

Discuz! moderation.inc.php 數據庫'注射' bug

author: 80vul-B
team:[url]http://www.80vul.com[/url]

一 分析

在文件include/moderation.inc.php裏代碼:

$threadlist = $loglist = array();
if($tids = implodeids($moderate)) {
	$query = $db->query("SELECT * FROM {$tablepre}threads WHERE tid IN ($tids) AND fid='$fid' AND displayorder>='0' AND digest>='0' LIMIT $tpp");
	while($thread = $db->fetch_array($query)) {
		...
		$threadlist[$thread['tid']] = $thread;
		...
			foreach($threadlist as $tid => $thread) {
				...
					if($type == 'redirect') {
						$db->query("INSERT INTO {$tablepre}threads (fid, readperm, iconid, author, authorid, subject, dateline, lastpost, lastposter, views, replies, displayorder, digest, closed, special, attachment)
							VALUES ('$thread[fid]', '$thread[readperm]', '$thread[iconid]', '".addslashes($thread['author'])."', '$thread[authorid]', '".addslashes($thread['subject'])."', '$thread[dateline]', '$thread[dblastpost]', '$thread[lastposter]', '0', '0', '0', '0', '$thread[tid]', '0', '0')");

這個比較明顯,從數據庫查詢出的值$thread[lastposter]直接帶入了insert語句中,導致了注射:)
這個看上去比上面的那個用處大些,其實有很多的限制.首先$thread[lastposter]是從數據庫中查詢出來的值,有字數限制[不能大於15個字符];其次,這個地方需要版主權限才能操作.


二 利用

註冊新用戶,用戶名爲80vul',發表新回覆,然後用擁有版主權限的賬號將此帖轉移,移動方式選爲[移動主題並在原來的版塊中保留轉向],和上面的效果一樣,執行時數據庫報錯了:)

三 補丁[fix]

等待官方補丁.