bbsxp注入漏洞（BBSXP injection vulnerability）.docVIP

bbsxp注入漏洞（BBSXP injection vulnerability） BBSXP injection vulnerability BBSXP injection vulnerability The new BBSXP injection vulnerability reappearance, can get the administrator account password directly -- I found a summary of the bbsxp5 sp1 vulnerability There was an article about BBSXP in the early days of the magazine. It was a Cookie injection attack. The author was ingenious and could think of a logical loophole. After reading the article, the school did not read the code. Having nothing to do during the summer vacation, I downloaded the latest version of BBSXP and read it. BBSXP is really small and small, and the file is short and short, but its a bit different from a DVBBS, whether its a function or an interface. But its a little bit of a flaw, after three years of testing. One. Search for loopholes BBS to string input with HTMLEncode conversion, the numeric type with int function adjustment, Isnumeric function judgment. Obviously there are Numbers and strings in the query that must not be used as input values. You cant input as a value, why do you enter it? Thats the crux of the matter. I scanned each file with this idea, and it took a long time to get to search. Asp (seem to have had a loophole before, changed the original but have a new) found a loophole, look at the code together. ! - # include file = setup. Asp -- The % top If request.cookies ( username ) = empty then error ( li you havent a href = login.asp login ) DetectPost If the Request ( menu ) = ok then Search = Request ( search ) Forumid forumid = Request ( ) TimeLimit = Request ( TimeLimit ) The content = the HTMLEncode (Request ( content )) Searchxm = the HTMLEncode (Request ( searchxm )) Searchxm2 = the HTMLEncode (Request ( searchxm2 )) Searchxm2 = replace (searchxm2, @, ) If the content = empty then the content = Request. Cookies ( username ) If isnumeric ( forumid ) then forumidor = forumid = forumid and If the search = author then The item = searchxm = the content Elseif