Dvbbs8.1最新漏洞通杀Access和mssql版(注入文件Userpay.asp本)[
看代码UserPay.asp行12-64<BR><P class=code>If Request("raction")="alipay_return" Then<BR> AliPay_Return()<BR> Dvbbs.Footer()<BR> Response.End<BR>ElseIf Request("action")="alipay_return" Then<BR> AliPay_Return()<BR> Dvbbs.Footer()<BR> Response.End<BR>'ElseIf Request("action")="Re_inmoney" Then<BR>' Re_inmoney()<BR>' Dvbbs.Footer()<BR>' Response.End<BR>End If</P>无论用户提交的raction为alipay_return还是action为alipay_return都调用了AliPay_Return()过程。AliPay_Return()的代码原型在行329-351,代码如下:<BR>
<P class=code>Sub AliPay_Return()<BR> If Dvbbs.Forum_ChanSetting(5) <> "0" Then<BR> AliPay_Return_Old()<BR> Exit sub<BR> Else<BR> Dim Rs,Order_No,EnCodeStr,UserInMoney<BR> Order_No=Request("out_trade_no")<BR> Set Rs = Dvbbs.Execute("Select * From Where O_IsSuc=3 And O_PayCode='"&Order_No&"'")<BR> If not(Rs.Eof And Rs.Bof) Then<BR> AliPay_Return_Old()<BR> Exit sub<BR> End if<BR> Response.Clear<BR> Set Rs = Dvbbs.Execute("Select * From Where O_IsSuc=0 And O_PayCode='"&Order_No&"'")<BR> If Rs.Eof And Rs.Bof Then<BR> Response.Write "N"<BR> Else<BR> Response.Write "Y"<BR> Dvbbs.Execute("Update Dv_ChanOrders Set O_IsSuc=3 Where O_ID = " & Rs("O_ID"))<BR> End If<BR> Response.End<BR> End If<BR>End Sub</P><BR>如果Dvbbs.Forum_ChanSetting(5) <> "0" 就执行下面的sql语句,我们来看看数据库里默认的Forum_ChanSetting吧。<BR>
<P class=code>1,1,0,0,pay@aspsky.net,0,b63uvb8nsvsmbsaxszgvdr6svyus0l4t,1,1,1,1,1,1,1,100,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1</P>Forum_ChanSetting(5)缺省为0,好了你接着看就会笑了<BR>
<P class=code>Order_No=Request("out_trade_no")<BR> Set Rs = Dvbbs.Execute("Select * From Where O_IsSuc=3 And O_PayCode='"&Order_No&"'")</P>直接把获取的Order_No放到sql里面去了。<BR>回顾一下DVbbs8.0的Userpay.asp同样一个函数看代码<BR>
<P class=code>Sub AliPay_Return()<BR> If Dvbbs.Forum_ChanSetting(5) <> "0" Then<BR> AliPay_Return_Old()<BR> Else<BR> Response.Clear<BR> Dim Rs,Order_No,EnCodeStr,UserInMoney<BR> Order_No = Dvbbs.CheckStr(Request("order_no"))<BR> Set Rs = Dvbbs.Execute("Select * From Dv_ChanOrders Where O_IsSuc=0 And O_PayCode = '"&Order_No&"'")<BR> If Rs.Eof And Rs.Bof Then<BR> Response.Write "N"</P>可以看出Order_No用CheckStr处理了,不存在sql注入漏洞,为什么到了新版本反而就直接放行了呢?莫非是笔误?<BR>如果你和我一样懒,并不想精心构造语句去搞破坏,只是试图去说明这个地方不安全,用下面的链接验证下看看<BR>吧(需要登录)<BR>
<P class=code>http://www.tr4c3.com/UserPay.asp?raction=alipay_return&out_trade_no=1'</P>本地测试返回图示<BR><IMG title="" alt="" src="http://www.tr4c3.com/upload/200801080915484626.jpg" width=520 onload=ResizeImage(this,520)><BR><IMG title="" alt="" src="http://www.tr4c3.com/upload/200801080916034474.jpg" width=520 onload=ResizeImage(this,520)><BR><BR>如果想再深入点,看看动画吧,懒得打字了。:-)<BR>由于本人没下载到dvbb8.1的sql版本,也懒得去网上找,所以无法判断其版本也存在该漏洞,有条件的朋友看看反馈<BR>下。<BR><A href="http://www.tr4c3.com/upload/200801080917104654.rar" target=_blank>动画下载</A><BR>经过群里的淫棍樱木花盗测试官方确认mssql版本也受此漏洞影响<BR><IMG title="" alt="" src="http://www.tr4c3.com/upload/200801081003115487.jpg" width=520 onload=ResizeImage(this,520)><BR><IMG title="" alt="" src="http://www.tr4c3.com/upload/200801081102150778.jpg" width=520 onload=ResizeImage(this,520)>
<DIV class=commentbox id=comment1>
<DIV class=commentbox-title> </DIV></DIV>
re:Dvbbs8.1最新漏洞通杀Access和mssql版(注入文件Userpay.asp本)[
<P>小刀:QQ58173096</P><P>东青,猪,你生日快乐~!!!</P>
页:
[1]