Small black are the commonly used background universal login password or-the vulnerability warning-the black bar safety net

2009-08-29T00:00:00
ID MYHACK58:62200924443
Type myhack58
Reporter 佚名
Modified 2009-08-29T00:00:00

Description

After landing in the background, receiving a user input of Userid and Password data, respectively, and assigned to the user and pwd, and then use the

sql="select * from admin where username="&user&" and password="&pwd&""

This sentence to the user name and password to be verified. To common sense to consider, this is a very complete program, and in the actual use process, set of procedures also may indeed be normal use. However, if the Userid value and the password value is assigned to the: a safer’ or’1’=’1’ then

sql="select * from admin where username="&user&" and password="&pwd&""

Became: the

sql="select * from reg where user=safer’ or’1’=’1’ and pass=safer’ or’1’=’1’

There is such a problem, we'll try to solve it. From the above program you can also be seen, as long as the user input data is strictly filtered. As follows:

Quote the < % user=request. from("UserID") pass=request. from("password") for i=1 to len(UserID) cl=mid(UserID,i,1) if cl="" or us="%" or us= The" < " or us=" > the" then response. redirect "WL ..jiajia" response. end end if next % > the

The same is to get the user input data, and then analyzes the user input of each character, such as found abnormal, then goes to the error page. if cl="" or us="%" or us= The" < " or us=" > the" then this sentence can be added to any of the filtered characters, according to the specific circumstances.

Fix:

username=replace(trim(request("username")),"’","") password=replace(trim(Request("password")),"’","")

Put“’”to the filtering.

If you want to use“’”as a password is this: 1, select * from user where user=’ " & User & "’" 2, If the return is not false, then take the password pass=rs("passwd") 3, to determine: if pass=password 4, and draw conclusions.

For example: [/code]Quote sql="select * from****_admin where admin_pass=’"&amp; admin_pass&"’ and admin=’"&admin&"’" rs. open sql,conn,1,3 if not(rs. bof and rs. eof) then if admin_pass=rs("admin_pass") then session("admin")=rs("admin")[/code] When the login submit user login form, the database will execute the following code

sql=sele ct * from user s where username= and password = `

Usually withor=orsubmitted to the go after, this code will execute such a program.

sql=sele ct * from user s where username= or=or and password = or=or `

orin front of a single quotation mark, will, and data. username=in this single quotation mark, forming a double quotes is because the database is in single quotation marks and double quotation marks distinction is not very clear, so username=or=orthe two single quotes will be mistaken for a legitimate syntax, the implementation of the user name is or=`or in this case, the database will return all user name, uers database would think that landing a legitimate user password the same way, and can go into the background.

Commonly used background universal login password: 'or"=' "or=or" 'or"="or"=' 'or'='or' 'or'='1' 'or' '1'='1' or 'a'='a'

Repair method: In the background a log file in the source code to find these codes:

<%

pwd = request. form("pwd")

name = request. form("name")

Set rs = Server. CreateObject("ADODB. Connection")

sql = "select * from Manage_User where UserName='" & name & "' And PassWord='"&encrypt(pwd)&"'"

Since the Accept variable pwd, name when not doing any processing. Only lead to this vulnerability. We want to make it for processing, to filter out the“'”symbol. Just put the file into the following code:

<%

pwd = replace(trim(request. form("pwd")),"'","")

name = replace(trim(request. form("name")),"'","")

Set rs = Server. CreateObject("ADODB. Connection")

sql = "select * from Manage_User where UserName='" & name & "' And PassWord='"&encrypt(pwd)&"'"