Discuz! 7.2/X1 ǽSQLע뼰־XSS©

[Discuz! 7.2/X1 ǽSQLע뼰־XSS© ȫ]
Ҫ
Discuz! 7.2/X1 ǽSQLע뼰־XSS©
SQLעȽϼߣҪGPCΪoffĿǰվˣ
XSSΪǳ־͵ģֻҪԱ򿪴ӦüᴥXSSôͼʼˡ

ϸ˵
Discuz֤ģhttp://addons.discuz.com/workroom.phpŶӡ깤 Teen StudioƷǽhttp://www.discuz.net/forum.php?mod=viewthread&tid=1632898δʼ˲ϵSQLע뼰վű©


moodwall.inc.php
SQLע,һ⣬ļкܶദĻ$_POSTõֱõҲ̶á
elseif($action == ''edit_mood'' && moodid) {

          //moodidδʼֱӴsqlѯ

   $check = $db->result_first("SELECT * FROM {$tablepre}moodwall WHERE id=''$moodid'' AND uid=''$discuz_uid''");

   if(!$check || !$moodid) {

    showmessage(''moodwall:moodwall_inc_php_2'', ''plugin.php?id=moodwall&action=user_mood'');

   }

   $sql = "SELECT * FROM {$tablepre}moodwall WHERE id=''$moodid''";

   $query = $db->query($sql);

   $moodlist_edit = array();

   while($mood_edit = $db->fetch_array($query)) {

    $moodlist_edit[] = $mood_edit;

   }


XSS
$uid=$_POST[uid];

$username=$_POST[username];

$bgpic=$_POST[bgpic];

$mood=$_POST[mood];

$message=$_POST[message];

$dateline=time();

          //$_POSTõֱ⣬ǰ˳ҲûˣͲˡ

$db->query("INSERT INTO {$tablepre}moodwall (uid,username, bgpic, mood, message, dateline) VALUES (''$uid'', ''$username'', ''$bgpic'', ''$mood'', ''$message'', ''$dateline'')");


©֤
һװӦõվ
/plugin.php?id=moodwall&action=edit_mood&moodid=2''


鴦ֱӲhtml
"><script>alert(/xss/)</script>
