DVBBS 7.X SP2 权限提升漏洞分析

漏洞分析 login.asp ChkUserLogin() Function ChkUserLogin(username,password,mobile,usercookies,ctype) ... ... 'Session(Dvbbs.CacheName & "UserID")用户资料=0dvbbs+1刷新时间+2发贴时间+3所在版面ID+4用户ID+5用户名+6用户密码+7用户邮箱+8用户文章数+9用户主题数+10用户性别+11用户头像+12用户头像宽+13用户头像高+14用户注册时间+15用户最后登陆时间+16用户登陆次数+17用户状态+18用户等级+19用户组ID+20用户组名+21用户金钱+22用户积分+23用户魅力+24用户威望+25用户生日+26最后登陆IP+27用户被删除数+28用户精华数+29用户隐身状态+30用户短信情况+31用户阳光会员+32用户手机+33用户组图标+34用户头衔+35验证密码+36用户今日信息+37+临时数据+38Dvbbs Sql="Select UserID,UserName,UserPassword,UserEmail,UserPost,UserTopic,UserSex,UserFace,UserWidth,UserHeight,JoinDate,LastLogin,UserLogins,Lockuser,Userclass,UserGroupID,UserGroup,userWealth,userEP,userCP,UserPower,UserBirthday,UserLastIP,UserDel,UserIsBest,UserHidden,UserMsg,IsChallenge,UserMobile,TitlePic,UserTitle,TruePassWord,UserToday " Sql=Sql+" From [Dv_User] Where "&sqlstr&"" set rsUser=Dvbbs.Execute(sql) If rsUser.eof and rsUser.bof Then ChkUserLogin=false Exit Function Else iMyUserInfo=rsUser.GetString(,1, "|||", "", "") rsUser.Close:Set rsUser = Nothing End If iMyUserInfo = "Dvbbs|||"& Now & "|||" & Now &"|||"& Dvbbs.BoardID &"|||"& iMyUserInfo &"||||||Dvbbs" iMyUserInfo = Split(iMyUserInfo,"|||") If trim(password)<>trim(iMyUserInfo(6)) Then ChkUserLogin=false ElseIf iMyUserInfo(17)=1 Then ChkUserLogin=false ElseIf iMyUserInfo(19)=5 Then ChkUserLogin=false Else ChkUserLogin=True Session(Dvbbs....

February 5, 2017 · 2 min · lyincc