Bbsxp 2 0 0 7[previous version don't know]an interesting vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62200717222
Type myhack58
Reporter 佚名
Modified 2007-10-12T00:00:00


| cpmpact. asp <% option explicit Const JET_3X = 4

if ""&Request("sessionid")&""<>""&session. sessionid&"" then error("validation code error")

Dim dbpath,boolIs97 dbpath = Request("dbpath") boolIs97 = Request("boolIs97") If dbpath <> "" Then dbpath = server. mappath(dbpath) response. write(CompactDB(dbpath,boolIs97)) End If

Function CompactDB(dbPath, boolIs97) Dim fso, Engine, strDBPath strDBPath = Left(dbPath,instrrev(DBPath,"\")) Set fso = createObject("Scripting. FileSystemObject") If fso. FileExists(dbPath) Then Set Engine = createObject("JRO. JetEngine") On Error Resume Next If boolIs97 = "True" Then Engine. CompactDatabase "Provider=Microsoft. Jet. OLEDB. 4. 0;Data Source=" &dbpath, _ "Provider=Microsoft. Jet. OLEDB. 4. 0;Data Source=" & strDBPath & "temp. mdb;" _ & "Jet OLEDB:Engine Type=" & amp; JET_3X Else Engine. CompactDatabase "Provider=Microsoft. Jet. OLEDB. 4. 0;Data Source=" &dbpath, _ "Provider=Microsoft. Jet. OLEDB. 4. 0;Data Source=" & strDBPath & "temp. mdb" End If If Err Then error("unrecognizable database format") fso. CopyFile strDBPath & "temp. mdb",dbpath fso. deleteFile(strDBPath & "temp. mdb") Set fso = nothing Set Engine = nothing CompactDB = "<script language=’JavaScript’>alert(’compression successful!’); history. back();</script>" Else CompactDB = "<script language=’JavaScript’>alert(’cannot find the database!\ n please check the database whether the path input error!’); history. back();</script>" End If End Function

sub Alert(Message) %> <script language=’JavaScript’>alert(’<%=Message%>’);history. back();</script><script language=’JavaScript’>window. close();</script> <% response. end end sub %>

The entire code authority to verify is if ""&Request. form("sessionid")&""<>""&session. sessionid&"" then error("validation code error") As long as the post over the sessionid and the current sessiond equal right to the limit,then how do we know the sessionid? Simple! viewonline. the asp portion of the code sub default if Request. ServerVariables("Request_method") = "POST" and BestRole<>1 then error("only Super moderators and administrators can use query functions") Key=HTMLEncode(Request. Form("Key")) Find=HTMLEncode(Request. Form("Find"))

if Len(Find)>1 0 then error("illegal operation") if Key<>empty then SqlFind=" where "&amp; Find&"=’"&Key&"’" sql="select * from [BBSXP_UserOnline] "&amp; SqlFind&" order by LastTime Desc" Rs. Open sql,Conn,1 The PageSetup=2 0 ’set each page display number Rs. Pagesize=The PageSetup TotalPage=Rs. Pagecount ’the total number of pages PageCount = RequestInt("PageIndex") if PageCount <1 then PageCount = 1 if PageCount > TotalPage then PageCount = TotalPage if TotalPage>0 then Rs. absolutePage=PageCount ’jump to the specified page number i=0 Do While Not Rs. EOF and i<the PageSetup i=i+1 if BestRole<>1 then ips=split(Rs("IPAddress"),".") ShowIP=""&ips(0)&"."& amp;ips(1)&".." else ShowIP=""&Rs("IPAddress")&"" end if

if ""&Rs("UserName")&""="" then UserName="<FONT COLOR=#C0C0C0>"&Rs("SessionID")&"</FONT>" else if Rs("IsInvisible")=0 or BestRole=1 then UserName="<a href=Profile. asp? UserName="&Rs("UserName")&">"&Rs("UserName")&"</a>" if Rs("IsInvisible")=1 then UserName=UserName&"(stealth)" end if

As long as someone is online then your username=’that you are a tourist,then here is your sessionid,Oh. Well,record your ip corresponding to the sessionid, you can go to the compressed database. But also there is nothing with is? You don't know the database path in which...... Let us think,if we can upload a. txt suffix to the database,then the path is recorded,sent over compression...... Nothing with it,still. But wait,remember the jet is there for overflow,if we send a virus up? I also don't know what will happen,not the environment,not tested..... YY Ah,I'm really really bored......