To pack a site navigation of source code-bug warning-the black bar safety net

ID MYHACK58:62200923956
Type myhack58
Reporter 佚名
Modified 2009-07-19T00:00:00


Brightly lit IT blog

I accidentally saw a site navigation of source code, this source code is“visit hao123 and 2 6 5 of the COMBINED VERSION”

There is a background but also very powerful!!!!!

Completely can be a background operation, I think such a station should be safe, so down look, a look disappointed, extreme garbage!!!!!!

It's like a beginner wrote the station!!!!

This program download address:<>

Inside the bug can be said to be bored of the bored!!!!

Here I analysis!

I will start from the database a piece of analysis

This app has two database links to files! File name: conn. asp

The code is:

<% dim conn dim dbpath set conn=server. createobject("adodb. connection") DBPath = Server. MapPath("#lunwindata. asa") conn. Open "Provider = Microsoft. Jet. OLEDB. 4. 0;Data Source =" & amp; DBPath %>

This piece of code I originally wrote this type of Article

This code is not fault-tolerant statements, you can directly use%5c storm Library! of!!

Two conn. asp all the same can

Then we get to the backend login page that

There is no CAPTCHA verification,it looks like you can use"or'='or'landing,which turns an input can be, a look at the source code more Yes,

<% username=trim(Request. form("username")) 'just use the trim function to filter both sides of the space password=trim(Request. form("password")) ‘just use the trim function to filter both sides of the space if username="" or password="" then Response. Redirect ("index. asp") 'if the username and password filled in as empty, re-set the item to the index. asp page

set rs=server. createobject("adodb. recordset") sql="select * from admin where username='"&username&"'and password='"&password&"'" ‘directly to the user name and password into the database query

The following code is omitted it!!!

In our view add. asp this file, this file is Site Navigation of the new station submission page

I think he this Station is connected to the backend login filtering are not over, then across the station is not over, a look at the source code, and sure enough

action=request("action") directly with the request object to accept the client submit something, didn't do any filtering!!!! memo=request("memo") title=request("title") email=request("email") url=request("url") classname=request("classname") leibie=request("leibie")

And that programmer, the programming habits of the extreme poor is good, actually does not define in what way to accept, directly with a request accepted, so this program will not be off must be off now!

And in the background the landing of that block, even if he put'or'='or'that piece to seal up, but no CAPTCHA verification, I can directly use brute-force to crack!!!!

This program although in the admin directory under the Add put the injection procedure, the file name: function. asp but this is a source which actually wasn't a file to mount it to use it!!!!!

This is a set of routines in the online use of people also full of many

In the google using the keyword: Copyright? 2003-2008 web site front

You can search out a bunch of it!!!! Full search Copyright? 2003-2008 web site front get about 2,700 query results so much, I don't know these webmasters think to!!!!!


My blog:http://hi. baidu. com/tongming133!!!!!!!!