Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200923179
HistoryMay 10, 2009 - 12:00 a.m.

BOBO online Mall Shopping system vulnerability analysis-vulnerability warning-the black bar safety net

2009-05-1000:00:00
佚名
www.myhack58.com
9
JSON

flaw0r’s Blog

Version:BOBOShop V1. 0 Style1
System:ASP+ACCESS
BOBO shopping management system is the most advanced shopping system, using asp+fso technology;easy program installation and commissioning;users do not need to consider the system installation and maintenance;beautiful, friendly display coverings;design application of a variety of network security technology;customers can easily query and order goods user can easily define a variety of commodity information;systems use a powerful database to save all kinds of information;the system supports a variety of browsers;function module clear practical strong system has good scalability and upgrade;powerful online payment system and order system;
Comprehensive security processing: database anti-download processing, CONN preventing storm database processing, prevention of cross-site scripting attacks, SQL injectiontype attacks to prevent, prohibit offline browsing tool browsing, background login using CAPTCHA verification, a member’s password using the MD5 encryption methods, preventing unknown IP access, and software attacks, the administrator password using MD5 encryption methods, filteringsql injectioncode and HTML code protection, data source security monitoring, cross-site scripting prevention, the administrator login from the record, the illegal operation code from the recording
Vulnerability: guestbook cross-site
Website message page for gbook. asp, the following look at the problematic code:
function HTMLEncode2(fString)

fString = Replace(fString, CHR(1 3), “”)

fString = Replace(fString, CHR(1 0) & CHR(1 0), “</P><>”)

fString = Replace(fString, CHR(1 0), “<BR>”)

HTMLEncode2 = fString

end function
set rs=server. CreateObject(“adodb. recordset”)
rs. open “select * from shop_fk”,conn,1,3
rs. addnew
rs(“fksubject”)=trim(request(“fksubject”))
rs(“fkleixing”)=request(“fkleixing”)
rs(“fkcontent”)=htmlencode2(trim(request(“fkcontent”)))
rs(“fkusername”)=trim(request(“fkusername”))
rs(“fkemail”)=trim(request(“fkemail”))
rs(“fktel”)=trim(request(“fktel”))
rs(“fklaizi”)=trim(request(“fklaizi”))
rs(“fkdate”)=now
rs(“fkip”)=Request. ServerVariables(“remote_addr”)
rs. update
rs. close
set rs=nothing
The author first defines a HTML filter function HTMLEncode2, but this function does not filter the<and>,as for the cross-site can not be successful, but also to see the background view messages of the file has nothing to do further filtering, because a message is sent directly to the administrator. Then we look at the background view comments file viewfk. asp, problem code is as follows:
<table width=“8 0%” border=“0” cellspacing=“1” cellpadding=“0”>
<tr>
<td align=“center”>
<b><%=trim(rs(“fksubject”))%></b>
</td>
</tr>
<tr>
<td>
<%=trim(rs(“fkcontent”))%><br>
<%=“publish time:”&rs(“fkdate”)%>
</td>
</tr>
</table>
Everyone can clearly see fksubject and fkcontent only filter the left and right space, cause we can cross-site success.
Use as shown in the figure, we in the message content of the written cross-site test code<script>alert(/xss/)</script>

When the administrator to view our message will be the successful implementation of our cross-site test code, The effect is as shown below:

As for the cross-stations of the advanced application, just to see everyone play.

Vulnerability two: cookie spoofing

Vulnerability exists file: 1. huansuan. asp vulnerability code is as follows:
<%
if request. Cookies(“BOB”)(“username”)=“” then
response. Redirect “user. asp”
response. End
end if
… Omitted code
%>
2. gouwu. asp vulnerability code is as follows
dim the bookid,username,action
action=request. QueryString(“action”)
if request. Cookies(“BOB”)(“username”)<>“” then
username=trim(request. Cookies(“BOB”)(“username”))
else
if request. Cookies(“BOB”)(“dingdanusername”)=“” then
username=now()
username=replace(trim(username),“-”,“”)
username=replace(username,“:”,“”)
username=replace(username," “,”")
response. Cookies(“BOB”)(“dingdanusername”)=username
set rs=server. CreateObject(“adodb. recordset”)
rs. open "select * from [user] ",conn,1,3
rs. addnew
rs(“username”)=username
rs(“niming”)=1
rs. update
rs. close
set rs=nothing
else
username=request. Cookies(“BOB”)(“dingdanusername”)
end if
end if

cookies information as shown below:
reglx%3D - =1&yucun=0&jifen=0&username=flaw0r®lx=1&jiaoyijine=0
usercookies=1&userid=4 4 3 9&userhidden=2&password=965eb72c92a549dd&focus on your chosen=1&username=flaw0r
We are very easy to fake information. Wherein reglx=1 for the ordinary user, reglx=2 for VIP users
3. dingdan. asp
<%if request. Cookies(“BOB”)(“username”)=“” then
response. write “<script. language=javascript>alert(‘sorry, you have not login!’); history. go(-1);</script>”
response. End
end if%>
This system also has a lot of files there of the above cookie spoofing vulnerability, not in this list

JSON