BBSxp 2 0 0 8 (Build: 8.0.4) Sql injection vulnerability-vulnerability warning-the black bar safety net

2010-03-04T00:00:00
ID MYHACK58:62201026319
Type myhack58
Reporter 佚名
Modified 2010-03-04T00:00:00

Description

Affected versions: BBSxp 2 0 0 8 (Build: 8.0.4)

Vulnerability description:

File:MoveThread. asp MoveThread. asp line 2-2 of 4

if CookieUserName =empty then error("you have not<a href=""javascript:BBSXP_Modal. Open ('Login. asp',3 8 0,1 7 0);"">login</a>") 'save the cookie log can be ThreadID=R

File:MoveThread. asp MoveThread. asp line 2-2 of 4 <% if CookieUserName =empty then error("you have not<a href=""javascript:BBSXP_Modal. Open ('Login. asp',3 8 0,1 7 0);"">login</a>") 'save the cookie log can be ThreadID=Request("ThreadID") ' Sql Injection Vulnerability If Not IsNumeric(ThreadID) then ThreadIDArray=Split(ThreadID,",") 'determine the array,avoid 1 3 line error if IsArray(ThreadIDArray) then for i=0 to Ubound(ThreadIDArray) if Execute ("Select ThreadID from ["&TablePrefix&"Threads] where ThreadID="& amp; ThreadIDArray(i)&""). eof then error"<li>the system does not exist in the post data" next ThreadIDSql=int(ThreadIDArray(0)) else error("parameter error.") end if Else ThreadIDSql=int(ThreadID) End If

'ForumID' =Execute("Select' ForumID ' From ["&TablePrefix&"Threads] where ThreadID="&amp; ThreadIDSql&"")(0) %> <!-- #include file="Utility/ForumPermissions. asp" - >

The first implementation of the query after the judgment of the authority, cause normal users to be sql injection. Construct the Url:; Submitted, return an error message The Microsoft JET Database Engine error '80040e14' String syntax error in query expression 'ThreadID=and 1".

/BBSXP_Class. asp, line 5 SQL version better the use of, access of the nbsi seemingly can only guess the table and field, the field value cannot guess, you need to manually.