Discuz!4.0.0 Discuz!4.1.0 Discuz!5.0.0 Discuz!5.5.0 Discuz!6.0.0 Discuz!6.1.0
Discuz!论坛wap功能模块编码的注射漏洞
SEBUG-ID:3778
SEBUG-Appdir:Discuz!
Published:2008-08-04
Vulnerable:
Discription:
Discuz!论坛系统是一个采用 PHP 和 MySQL 等其他多种数据库构建的高效论坛解决方案。Discuz! 在代码质量,运行效率,负载能力,安全等级,功能可操控性和权限严密性等方面都在广大用户中有良好的口碑 由于 PHP 对 多字节字符集的支持存在问题,在各种编码相互转换过程中,有可能引发程序溢出和程序错误 提交一个 ' 转意成 \' 然后转成gbk的,\和'就变成两个字符了 '就可以成功的引入
<*References
http://www.discuz.net/thread-1008182-1-1.html*>
http://www.sebug.net/vulndb/3778/
http://www.topgct.com/2008/08/04/%e5%85%b3%e4%ba%8ediscuz%e5%88%a9%e7%94%a8%e7%a8%8b%e5%ba%8f%e5%a3%b0%e6%98%8e/
Exploit:
[www.sebug.net]
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
if(defined('IN_DISCUZ')) {
exit('Access Denied');
}
define('CODETABLE_DIR', DISCUZ_ROOT.'./include/tables/');
class Chinese {
var $table = '';
var $iconv_enabled = false;
var $unicode_table = array();
var $config = array
(
'SourceLangSEBUG Solution:
// sebug.net [2008-08-04]