Small conference yxbbs vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62200818660
Type myhack58
Reporter 佚名
Modified 2008-03-31T00:00:00


Source: LiFediy's blog Author: jannock

yxbbs is a smaller Forum system,can be considered a good little Forum. Tube party websites is: <> For their research,found that there is not a small security issue. 1, arbitrary File Download vulnerability.

Vulnerability file: ViewFile. asp

Function ChkFile(FileName) Dim Temp,FileType,F ChkFile=false FileType=Lcase(Split(FileName,".") (ubound(Split(FileName,".")))) Temp="|asp|aspx|cgi|php|cdx|cer|asa|" If Instr(Temp,"|"&FileType"|")>0 Then ChkFile=True F=Replace(Request("FileName"),".","") If instr(1,F,chr(3 9))>0 or instr(1,F,chr(3 4))>0 or instr(1,F,chr(5 9))>0 then ChkFile=True End Function

In check the download file types only when the judgment is not that a few types you can download. Therefore the presence of the vulnerability,we can construct such a download <> Note that back plus more%2 0, on behalf of the spaces. !

2, theSQL injectionvulnerability Vulnerability file:Usersetup. Asp

SaveMyInfo() Note to

Sex=YxBBs. Fun. GetStr("Sex") QQ=YxBBs. Fun. GetStr("QQ") IsQQpic=YxBBs. Fun. GetStr("IsQQpic")

Public Function GetStr(Str) Str = Trim(Request. Form(Str)) If IsEmpty(Str) Then Str = "" Else Str = Replace(Str," {"," Open") Str = Replace(Str,"}","}") Str = Replace(Str,"'","'") Str = Replace(Str,"|","|") End If GetStr = Trim(Str) End Function

Only consider ' {}|, etc., but

YxBBs. execute("update [YX_User] set Birthday='"&Birthday"',Sex="&Sex",PicW="&amp; PicW", PicH="&PicH",Mail='"&Mail"',QQ='"&QQ"',Honor='"&II"',Pic='"&PicUrl"', Home='"&amp; Home"',Sign='"&Sign"',IsQQpic="&amp; IsQQpic" where name='"& YxBBs. MyName"' And Password='"&amp; YxBBs. MyPwd"'")


You can see, Sex can be configured to 1,SQL injectionstatement... for asscee database the impact is not too, but SQL statements impact is very large.

3, multiple cross-site vulnerabilities Function

Public Function ubbg(str) Dim re Set re=new RegExp re. IgnoreCase=true re. Global=True re. Pattern="((javascript:)|(<)|(>)|(height)|(width)|(jscript:)|(object)|(script)|(js:)|(vbscript:)| (vbs:)|(\. value)|(about:)|(file:)|(document. cookie)|(on(mouse|Exit|error|click|key|load)))" str=re. Replace(str,"") re. Pattern="()" str=re. Replace(str," up & # to") Set re=Nothing ubbg=str End Function

Because consider as empty, so it can be configured to


Ever consider after it becomes javascript:

It says to here.