信息来源:http://www.nspcn.org , http://www.tr4c3.com
Author: Tr4c3[at]126[dot]CoM
谨以此文献给在我老婆不在身边的时候陪我YY,看AV的n37p47ch,King,慕容大雨和BK瞬间群的所有淫棍。
这几天真是无聊的很啊,晚上实在不知道要做什么了,就下了套dvbbs 8.1,然后翻着玩,一不小心翻到了一个注
入漏洞。看来上帝还是很可怜我的。废话不说了。
看代码UserPay.asp行12-64
1
If
Request(
"
raction
"
)
=
"
alipay_return
"
Then
2
AliPay_Return()
3
Dvbbs.Footer()
4
Response.End
5
ElseIf
Request(
"
action
"
)
=
"
alipay_return
"
Then
6
AliPay_Return()
7
Dvbbs.Footer()
8
Response.End
9
'
ElseIf Request("action")="Re_inmoney" Then
10
'
Re_inmoney()
11
'
Dvbbs.Footer()
12
'
Response.End
13
End
If
14
![](/Images/OutliningIndicators/None.gif)
15
无论用户提交的raction为alipay_return还是action为alipay_return都调用了AliPay_Return()过程。AliPay_Return()的代码原型在行329-351,代码如下:
1
Sub
AliPay_Return()
2
If
Dvbbs.Forum_ChanSetting(
5
)
<>
"
0
"
Then
3
AliPay_Return_Old()
4
Exit
sub
5
Else
6
Dim
Rs,Order_No,EnCodeStr,UserInMoney
7
Order_No
=
Request(
"
out_trade_no
"
)
8
Set
Rs
=
Dvbbs.Execute(
"
Select * From [Dv_ChanOrders] Where O_IsSuc=3 And O_PayCode='
"
&
Order_No
&
"
'
"
)
9
If
not
(Rs.Eof
And
Rs.Bof)
Then
10
AliPay_Return_Old()
11
Exit
sub
12
End
if
13
Response.Clear
14
Set
Rs
=
Dvbbs.Execute(
"
Select * From [Dv_ChanOrders] Where O_IsSuc=0 And O_PayCode='
"
&
Order_No
&
"
'
"
)
15
If
Rs.Eof
And
Rs.Bof
Then
16
Response.Write
"
N
"
17
Else
18
Response.Write
"
Y
"
19
Dvbbs.Execute(
"
Update Dv_ChanOrders Set O_IsSuc=3 Where O_ID =
"
&
Rs(
"
O_ID
"
))
20
End
If
21
Response.End
22
End
If
23
End Sub
如果Dvbbs.Forum_ChanSetting(5) <> "0" 就执行下面的sql语句,我们来看看数据库里默认的Forum_ChanSetting吧。
1
1
,
1
,
0
,
0
,pay@aspsky.net,
0
,b63uvb8nsvsmbsaxszgvdr6svyus0l4t,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
100
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
,
1
Forum_ChanSetting(5)缺省为0,好了你接着看就会笑了
1
Order_No
=
Request(
"
out_trade_no
"
)
2
Set
Rs
=
Dvbbs.Execute(
"
Select * From [Dv_ChanOrders] Where O_IsSuc=3 And O_PayCode='
"
&
Order_No
&
"
'
"
)
3
![](/Images/OutliningIndicators/None.gif)
4
直接把获取的Order_No放到sql里面去了。
回顾一下DVbbs8.0的Userpay.asp同样一个函数看代码
1
Sub
AliPay_Return()
2
If
Dvbbs.Forum_ChanSetting(
5
)
<>
"
0
"
Then
3
AliPay_Return_Old()
4
Else
5
Response.Clear
6
Dim
Rs,Order_No,EnCodeStr,UserInMoney
7
Order_No
=
Dvbbs.CheckStr(Request(
"
order_no
"
))
8
Set
Rs
=
Dvbbs.Execute(
"
Select * From Dv_ChanOrders Where O_IsSuc=0 And O_PayCode = '
"
&
Order_No
&
"
'
"
)
9
If
Rs.Eof
And
Rs.Bof
Then
10
Response.Write
"
N
"
11
![](/Images/OutliningIndicators/None.gif)
12
可以看出Order_No用CheckStr处理了,不存在sql注入漏洞,为什么到了新版本反而就直接放行了呢?莫非是笔误?
如果你和我一样懒,并不想精心构造语句去搞破坏,只是试图去说明这个地方不安全,用下面的链接验证下看看
吧(需要登录)
http://www.tr4c3.com/UserPay.asp?raction=alipay_return
&out_trade_no
=1'
本地测试返回图示
![](http://www.tr4c3.com/upload/200801080915484626.jpg)
![](http://www.tr4c3.com/upload/200801080916034474.jpg)
如果想再深入点,看看动画吧,懒得打字了。:-)
由于本人没下载到dvbb8.1的sql版本,也懒得去网上找,所以无法判断其版本也存在该漏洞,有条件的朋友看看反馈
下。
动画下载
经过群里的淫棍樱木花盗测试官方确认mssql版本也受此漏洞影响
![](http://www.tr4c3.com/upload/200801081003115487.jpg)
![](http://www.tr4c3.com/upload/200801081102150778.jpg)