Dvbbs7.1.0cookie存在泄露绝对路径漏洞(国外英语资料).docVIP

Dvbbs7.1.0cookie存在泄露绝对路径漏洞(国外英语资料) [original]Dvbbs7.1.0cookie exists leak absolute path vulnerability Article title: [original]Dvbbs7.1.0cookie to disclose the existence of absolute path: 2005-06-2814:02 Linzi was released in the top hole [landlord [original]Dvbbs7.1.0cookie leak vulnerability absolute path Article author: LiNZI[B.C.T]@ Source: Evil octal information security team Name of manufacturer: talking about pioneer of mobile network Manufacturers address: / Vulnerability program: Dvbbs7.1.0 Vulnerability description: Dvbbs7.1.0s Cookie has a vulnerability to disclose the absolute path of the site, and attackers can cooperate with other technologies to implement SQL, cross library queries, and so on. Vulnerability utilization example: First, leak absolute vulnerability test: The official test site: Upload a map, the code is as follows: GIF89a scriptalert (document.cookie) /script Capture cookie as follows Cookie:ASPSESSIONIDSSDSCBQD=NHANOBNCAPCPAMCFMAGDIJCB; dwebdvbbs7%2E1%2E0=UserID=617054usercookies=1userclass=%D0%C2%CA%D6%C9%CF%C2%B7username=linzibctpassword=t8ob621664s5v6HLuserhidden=2StatUserID=2189992004; Dvbbs= Analysis cookie can get the absolute path of the site is as follows: The absolute path of d:\\web\\dvbbs7 for discussion Two, attack extension: W The main program has a SQL injection vulnerability, but the table name and field name cannot be found. Injection point hypothesis: W\\linzi.asp? Fuck=you? Talk about dvbbs7.1.0, database for data\\\\dvbbs.asp, do the anti download processing Using the above network critical path, to get the absolute path for d:\\www\\dvbbs\\data\\dvbbs.asp capture Cross library queries are as follows: W\\linzi.asp? Fuck=youand (selectcount (*) fromdv_adminin d:\\www\\dvbbs\\data\\dvbbs.asp) Official patch: There is no top hak_ban[HSG] posted on: 2005-06-2816:15 [1 building] The test method can be changed, and it only takes the user to get the COOKIE information of the target site. If you dont need to be a BBS user,