bbsxp 2007[以前版本不知道]一个有意思的漏洞 's

admin 2017年5月9日23:44:32评论1,184 views字数 2833阅读9分26秒阅读模式
摘要

来源:Loveshellcpmpact.asp

<%
option explicit
Const JET_3X = 4

if ""&Request("sessionid")&""<>""&session.sessionid&"" then error("效验码错误")

Dim dbpath,boolIs97
dbpath = Request("dbpath")
boolIs97 = Request("boolIs97")
If dbpath <> "" Then
dbpath = server.mappath(dbpath)
response.write(CompactDB(dbpath,boolIs97))
End If

Function CompactDB(dbPath, boolIs97)
Dim fso, Engine, strDBPath
strDBPath = Left(dbPath,instrrev(DBPath,"/"))
Set fso = createObject("Scripting.FileSystemObject")
If fso.FileExists(dbPath) Then
Set Engine = createObject("JRO.JetEngine")
On Error Resume Next
If boolIs97 = "True" Then
Engine.CompactDatabase "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & dbpath, _
"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & strDBPath & "temp.mdb;" _
& "Jet OLEDB:Engine Type=" & JET_3X
Else
Engine.CompactDatabase "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & dbpath, _
"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & strDBPath & "temp.mdb"
End If
If Err Then error("不可识别的数据库格式")
fso.CopyFile strDBPath & "temp.mdb",dbpath
fso.deleteFile(strDBPath & "temp.mdb")
Set fso = nothing
Set Engine = nothing
CompactDB = "<script language='JavaScript'>alert('压缩成功!');history.back();</script>"
Else
CompactDB = "<script language='JavaScript'>alert('找不到数据库!/n请检查数据库路径是否输入错误!');history.back();</script>"
End If
End Function

sub Alert(Message)
%>
<script language='JavaScript'>alert('<%=Message%>');history.back();</script><script language='JavaScript'>window.close();</script>
<%
response.end
end sub
%>

来源:Loveshell

cpmpact.asp

<%
option explicit
Const JET_3X = 4

if ""&Request("sessionid")&""<>""&session.sessionid&"" then error("效验码错误")

Dim dbpath,boolIs97
dbpath = Request("dbpath")
boolIs97 = Request("boolIs97")
If dbpath <> "" Then
dbpath = server.mappath(dbpath)
response.write(CompactDB(dbpath,boolIs97))
End If

Function CompactDB(dbPath, boolIs97)
Dim fso, Engine, strDBPath
strDBPath = Left(dbPath,instrrev(DBPath,"/"))
Set fso = createObject("Scripting.FileSystemObject")
If fso.FileExists(dbPath) Then
Set Engine = createObject("JRO.JetEngine")
On Error Resume Next
If boolIs97 = "True" Then
Engine.CompactDatabase "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & dbpath, _
"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & strDBPath & "temp.mdb;" _
& "Jet OLEDB:Engine Type=" & JET_3X
Else
Engine.CompactDatabase "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & dbpath, _
"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & strDBPath & "temp.mdb"
End If
If Err Then error("不可识别的数据库格式")
fso.CopyFile strDBPath & "temp.mdb",dbpath
fso.deleteFile(strDBPath & "temp.mdb")
Set fso = nothing
Set Engine = nothing
CompactDB = "<script language='JavaScript'>alert('压缩成功!');history.back();</script>"
Else
CompactDB = "<script language='JavaScript'>alert('找不到数据库!/n请检查数据库路径是否输入错误!');history.back();</script>"
End If
End Function

sub Alert(Message)
%>
<script language='JavaScript'>alert('<%=Message%>');history.back();</script><script language='JavaScript'>window.close();</script>
<%
response.end
end sub
%>

整个代码权限验证是

if ""&Request.form("sessionid")&""<>""&session.sessionid&"" then error("效验码错误")

只要post过来sessionid和当前的sessiond相等就有权限了,那么我们如何知道sessionid呢?简单哪!
viewonline.asp部分代码

sub default
if Request.ServerVariables("Request_method") = "POST" and BestRole<>1 then error("只有超级版主与管理员才能使用查询功能")
Key=HTMLEncode(Request.Form("Key"))
Find=HTMLEncode(Request.Form("Find"))

if Len(Find)>10 then error("非法操作")
if Key<>empty then SqlFind=" where "&Find&"='"&Key&"'"
sql="select * from [BBSXP_UserOnline] "&SqlFind&" order by LastTime Desc"
Rs.Open sql,Conn,1
PageSetup=20 '设定每页的显示数量
Rs.Pagesize=PageSetup
TotalPage=Rs.Pagecount '总页数
PageCount = RequestInt("PageIndex")
if PageCount <1 then PageCount = 1
if PageCount > TotalPage then PageCount = TotalPage
if TotalPage>0 then Rs.absolutePage=PageCount '跳转到指定页数
i=0
Do While Not Rs.EOF and i<PageSetup
i=i+1
if BestRole<>1 then
ips=split(Rs("IPAddress"),".")
ShowIP=""&ips(0)&"."&ips(1)&".*.*"
else
ShowIP=""&Rs("IPAddress")&""
end if

if ""&Rs("UserName")&""="" then
UserName="<FONT COLOR=#C0C0C0>"&Rs("SessionID")&"</FONT>"
else
if Rs("IsInvisible")=0 or BestRole=1 then UserName="<a href=Profile.asp?UserName="&Rs("UserName")&">"&Rs("UserName")&"</a>"
if Rs("IsInvisible")=1 then UserName=UserName&"(隐身)"
end if

只要有人在线然后你的username=''就是你是游客,那么这里显示的就是你的sessionid了,呵呵.好,记录下自己的ip对应的sessionid就可以去压缩数据库了.不过也没有什么用是么?你又不知道数据库路径在哪……
让我们想想,如果我们可以上传一个txt后缀的数据库,然后把路径记录下来,送过去压缩……没什么用吧,还是.不过再等下,记得以前的jet是有溢出的,如果我们送个exploit上去会怎么样?我也不晓得会怎么样,没环境,没测试…..
YY啊,我是真有够无聊的……

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2017年5月9日23:44:32
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   bbsxp 2007[以前版本不知道]一个有意思的漏洞 'shttps://cn-sec.com/archives/49976.html

发表评论

匿名网友 填写信息