BBSXP为一款简单的ASP+SQL与ACCESS开发的多风格论坛 目前最新版本为BBSXP2008。漏洞文件:MoveThread.asp MoveThread.asp行2-24<pre><% if CookieUserName =empty then error("您还未<a href=""javascript:BBSXP_Modal.Open ('Login.asp',380,170);"">登录</a>论坛") '保存cookie登陆即可 ThreadID=Request("ThreadID") ' Sql Injection Vulnerability If Not IsNumeric(ThreadID) then ThreadIDArray=Split(ThreadID,",") '判断数组,避免13行出错 if IsArray(ThreadIDArray) then for i=0 to Ubound(ThreadIDArray) if Execute ("Select ThreadID from ["&TablePrefix&"Threads] where ThreadID="& ThreadIDArray(i)&"").eof then error"<li>系统不存在该帖子的资料" next ThreadIDSql=int(ThreadIDArray(0)) else error("参数错误。") end if Else ThreadIDSql=int(ThreadID) End If ForumID=Execute("Select ForumID From ["&TablePrefix&"Threads] where ThreadID="&ThreadIDSql&"")(0) %> <!– #include...
BBSXP为一款简单的ASP+SQL与ACCESS开发的多风格论坛 目前最新版本为BBSXP2008。漏洞文件:MoveThread.asp MoveThread.asp行2-24<pre><% if CookieUserName =empty then error("您还未<a href=""javascript:BBSXP_Modal.Open ('Login.asp',380,170);"">登录</a>论坛") '保存cookie登陆即可 ThreadID=Request("ThreadID") ' Sql Injection Vulnerability If Not IsNumeric(ThreadID) then ThreadIDArray=Split(ThreadID,",") '判断数组,避免13行出错 if IsArray(ThreadIDArray) then for i=0 to Ubound(ThreadIDArray) if Execute ("Select ThreadID from ["&TablePrefix&"Threads] where ThreadID="& ThreadIDArray(i)&"").eof then error"<li>系统不存在该帖子的资料" next ThreadIDSql=int(ThreadIDArray(0)) else error("参数错误。") end if Else ThreadIDSql=int(ThreadID) End If ForumID=Execute("Select ForumID From ["&TablePrefix&"Threads] where ThreadID="&ThreadIDSql&"")(0) %> <!– #include file="Utility/ForumPermissions.asp" –></pre>先执行了查询后判断了权限,导致普通用户即可进行sql注射。 构造Url:http://www.target.com/movethread.asp?ThreadID=1,1' 提交,返回出错信息 Microsoft JET Database Engine 错误 '80040e14' 字符串的语法错误 在查询表达式 'ThreadID=1'' 中。 /BBSXP_Class.asp,行 5 Build: 8.0.4 厂商补丁: BBSxp 2008 ---------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.bbsxp.com/ target=_blank>http://www.bbsxp.com/</a>