BBSxp 2008 MoveThread.asp页面存在SQL注入漏洞

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

BBSXP为一款简单的ASP+SQL与ACCESS开发的多风格论坛 目前最新版本为BBSXP2008。漏洞文件:MoveThread.asp MoveThread.asp行2-24<pre>&lt;% if CookieUserName =empty then error(&quot;您还未&lt;a href=&quot;&quot;javascript:BBSXP_Modal.Open ('Login.asp',380,170);&quot;&quot;&gt;登录&lt;/a&gt;论坛&quot;) '保存cookie登陆即可 ThreadID=Request(&quot;ThreadID&quot;) ' Sql Injection Vulnerability If Not IsNumeric(ThreadID) then ThreadIDArray=Split(ThreadID,&quot;,&quot;) '判断数组,避免13行出错 if IsArray(ThreadIDArray) then for i=0 to Ubound(ThreadIDArray) if Execute (&quot;Select ThreadID from [&quot;&amp;TablePrefix&amp;&quot;Threads] where ThreadID=&quot;&amp; ThreadIDArray(i)&amp;&quot;&quot;).eof then error&quot;&lt;li&gt;系统不存在该帖子的资料&quot; next ThreadIDSql=int(ThreadIDArray(0)) else error(&quot;参数错误。&quot;) end if Else ThreadIDSql=int(ThreadID) End If ForumID=Execute(&quot;Select ForumID From [&quot;&amp;TablePrefix&amp;&quot;Threads] where ThreadID=&quot;&amp;ThreadIDSql&amp;&quot;&quot;)(0) %&gt; &lt;!– #include...

0%
暂无可用Exp或PoC
当前有0条受影响产品信息