Dvbbs8. 1 0DAY(through the kill access and mssql version-bug warning-the black bar safety net

2008-01-09T00:00:00
ID MYHACK58:62200818070
Type myhack58
Reporter 佚名
Modified 2008-01-09T00:00:00

Description

Author:Tr4c3[at]1 2 6[dot]CoM http://www.nspcn.org http://www.tr4c3.com I have the honour to in this document to the at my wife is not around when with me YY,see AV n37p47ch,King,murong the rain and the BK instantly group all the screwing around with.

These days is really boring very, Ah, the night really do not know what to do, it out of the sleeve dvbbs 8.1, and then flip the play, accidentally turned into a note Into vulnerability. It seems that God is still very poor to me. Do not talk nonsense. Look at the code UserPay. asp line 1 2-6 4

If Request("raction")="alipay_return" Then AliPay_Return() Dvbbs. Footer() Response. End ElseIf Request("action")="alipay_return" Then AliPay_Return() Dvbbs. Footer() Response. End 'ElseIf Request("action")="Re_inmoney" Then 'Re_inmoney() 'Dvbbs. Footer() 'Response. End End If Whether user-submitted raction for alipay_return or action for alipay_return are called AliPay_Return()procedure. AliPay_Return()code a prototype in 3 2 9-3 5 1, The code is as follows:

Sub AliPay_Return() If Dvbbs. Forum_ChanSetting(5) <> "0" Then AliPay_Return_Old() Exit sub Else Dim Rs,Order_No,EnCodeStr,UserInMoney Order_No=Request("out_trade_no") Set Rs = Dvbbs. Execute("Select * From [Dv_ChanOrders] Where O_IsSuc=3 And O_PayCode='"&amp; Order_No&"'") If not(Rs. Eof And Rs. Bof) Then AliPay_Return_Old() Exit sub End if Response. Clear Set Rs = Dvbbs. Execute("Select * From [Dv_ChanOrders] Where O_IsSuc=0 And O_PayCode='"&amp; Order_No&"'") If Rs. Eof And Rs. Bof Then Response. Write "N" Else Response. Write "Y" Dvbbs. Execute("Update Dv_ChanOrders Set O_IsSuc=3 Where O_ID =" & Rs("O_ID")) End If Response. End End If End Sub

If Dvbbs. Forum_ChanSetting(5) <> of "0" will execute the following sql statement, we look at the database in the default Forum_ChanSetting.

1,1,0,0,pay@aspsky.net,0,b63uvb8nsvsmbsaxszgvdr6svyus0l4t,1,1,1,1,1,1,1,1 0 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 Forum_ChanSetting(5)The default is 0, well you went to see will laugh

Order_No=Request("out_trade_no") Set Rs = Dvbbs. Execute("Select * From [Dv_ChanOrders] Where O_IsSuc=3 And O_PayCode='"&amp; Order_No&"'") Direct access to Order_No into the sql to go inside. Recall DVbbs8. 0 of Userpay. asp also a function to see the code

Sub AliPay_Return() If Dvbbs. Forum_ChanSetting(5) <> "0" Then AliPay_Return_Old() Else Response. Clear Dim Rs,Order_No,EnCodeStr,UserInMoney Order_No = Dvbbs. CheckStr(Request("order_no")) Set Rs = Dvbbs. Execute("Select * From Dv_ChanOrders Where O_IsSuc=0 And O_PayCode = '"&amp; Order_No&"'") If Rs. Eof And Rs. Bof Then Response. Write "N" As can be seen Order_No use CheckStr processed, does not existsql injectionvulnerabilities, why to the new version instead of a direct release? Could that be a clerical error for? If you're like me and lazy and don't want to carefully construct the statement to vandalize, just to try to say this place is unsafe, use the link below to verify. Bar(need to login)

http://www.tr4c3.com/UserPay.asp?raction=alipay_return&out_trade_no=1'

Local test returns shown ! ! If you want to deep point, look at the animation right, too lazy to typing.: -) Since I didn't download to dvbb8. 1 version of sql, but also too lazy to go online to find, it is impossible to determine which version the vulnerability exists, the conditional friends see the Feedback . Animation download:

http://www.tr4c3.com/upload/200801080917104654.rar

After a bunch of screwing around sakuragi flower stolen test official confirmation of the mssql version is also affected by this vulnerability ! !