Xss Cross-Site vulnerability in multiple URLs of the mobile network

Vulnerability Author: phantom spring [B .S.N]
Source code under asp "> http://www.dvbbs.net/products.asp
Official http://www.dvbbs.net
Vulnerability level: medium and high
Vulnerability description:
Vulnerability 1:

Show. asp

Code:
If Request ("username") = "" or Request ("filetype") = "" or Request ("boardid") = "" then rsearch = ""

............

If Request ("username") <> "" Then rsearch = rsearch & "and F_Username =" & Dvbbs. checkStr (Request ("username "))&""

Here we can see that the username is filtered using Dvbbs. checkStr. However, assigning a filter value to rsearch does not work for this article, but we also need to look at the content filtered by Dvbbs. checkStr.

Incconst. asp

Code:
Public Function Checkstr (Str)

If Isnull (Str) Then is null If not

CheckStr = ""

Exit Function

End If

Str = Replace (Str, Chr (0), "") filter Truncation

CheckStr = Replace (Str, "", "") filter empty

End Function

Only SQL injection is filtered, and xss is not filtered. Therefore, you can enter cross-site statements at will.

Resourceenokate_1show_html4.htm

Browse <font color = "{$ alertcolor}" >{$ username} </font> personal exhibitions |

Output the content of the user name.

 
 

Vulnerability 2:

Smiley. asp

Code:
<%

If Request ("t") = "1" Then

Face_Main ()

Else

Main ()

End If

Dvbbs. PageEnd ()

Sub Main ()

Dvbbs. Loadtemplates ("post ")

Dim star

If Request ("star") <> "Then

Star = Request ("star ")

Else

Star = 1

End If

%>

Here we can see that if t is not equal to 1, main () will be run, and main () will get the variable star without any filtering.

Code:
<%

Response. Write "var aImages =" & Dvbbs. Forum_Emot &";"

Response. Write "var star =" & star &";"

%>

The output directly leads to cross-site existence.

 
 

Vulnerability 3:

Reg. asp

Code:
If Request. form ("question") = "" And question_answer Then

ErrCodes = ErrCodes + "<li>" + template. Strings (11)

Else

Question = Request. form ("question ")

End If

There is a cross-site vulnerability because the password issue is not filtered at all. In this way, we register an account and enter any cross-site code within the password issue. So how to call it? Log out and find the password retrieval page, which is lostpass. asp.

 
 

The last vulnerability was not discovered by me, and the last xss was not designed to be exploited.

Source: [B .S.N] -- follow Script Security http://sites.google.com/site/bsnguanzhujiaobenanquan/ 09.03.30

 

The above code can be spread using the ajax worm.