Discuz!X2.5最新版后台管理员权限Getshell

可注射到管理员密码会员等

详细说明：

plus/bookfeedback.php

小说模块。变量未初始化。导致注射

不过默认不安装此模块。

require_once(dirname(__FILE__)."/../include/common.inc.php"); require_once(DEDEINC."/filter.inc.php"); require_once(DEDEINC."/channelunit.func.php");  .............. //保存评论内容 if($comtype == 'comments') { $arctitle = addslashes($arcRow['arctitle']); $arctitle = $arcRow['arctitle']; if($msg!='') { $inquery = "INSERT INTO `dede_bookfeedback`(`aid`,`catid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`, `mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','$catid','$username','$bookname','$ip','$ischeck','$dtime', '{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg'); "; $rs = $dsql->ExecuteNoneQuery($inquery); if(!$rs) { echo $dsql->GetError(); exit(); } } } //引用回复 elseif ($comtype == 'reply') { $row = $dsql->GetOne("Select * from `dede_bookfeedback` where id ='$fid'"); $arctitle = $row['arctitle']; $aid =$row['aid']; $msg = $quotemsg.$msg; $msg = HtmlReplace($msg,2); $inquery = "INSERT INTO `dede_bookfeedback`(`aid`,`typeid`,`username`,`arctitle`,`ip`,`ischeck`,`dtime`,`mid`,`bad`,`good`,`ftype`,`face`,`msg`) VALUES ('$aid','$typeid','$username','$arctitle','$ip','$ischeck','$dtime','{$cfg_ml->M_ID}','0','0','$feedbacktype','$face','$msg')"; $dsql->ExecuteNoneQuery($inquery); }

$catid变量以及$typeid变量未初始化。造成注入！

漏洞证明：