The cloud from the enterprise built Station system through the kill oday-vulnerability warning-the black bar safety net

2011-08-19T00:00:00
ID MYHACK58:62201131629
Type myhack58
Reporter 佚名
Modified 2011-08-19T00:00:00

Description

Saying boring to code the site the next set of program analysis

Can be to the cloud from the enterprise built Station system, download the number very much so look up

First saw it in the background of the login. the asp file. A look at the side of there ass and...

if request. Form("submit")<>"" then

if request. Form("userid")="" or request. Form("password")="" then

response. Write("<script language=javascript>alert('username or password cannot be empty!'); history. back();</script>")

response. end

end if

set rs=conn. execute("select * from gly where uid='"&trim(request. form("userid"))&"' and pwd='"&trim(request. form("password"))&"'")

if rs. eof then

response. Write("<script language=javascript>alert('username or password authentication failure!'); history. back();</script>")

response. End()

else

if rs("IsSuper")=1 then

session(strSession&"uid")="s"

session(strSession&"uidn")=rs("id")

else

session(strSession&"uid")="n"

session(strSession&"uidn")=rs("id")

end if

response. Redirect("index. asp")

response. End()

end if

rs. close

set rs=nothing

end if

We see not only the trim function to filter the spaces. As a result it appears directly from the client to pass over the data directly into a database query,so we can use'or'='or'landing

Really. What's out there is such a situation that...

Then take a look into the background after the Upload File.

Part of the code:

<title>Upload File</title>

<link href="css. css" rel="stylesheet" type="text/css">

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

</head>

<body bgcolor="#eeeeee" text="#0 0 0 0 0 0" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">

<form enctype="multipart/form-data" method="post" action="infopict. asp? fm=<%=request. QueryString("fm")%>&em=<%=request. QueryString("em")%>" name="form1">

<table width="1 0 0%" border="0" cellpadding="0" cellspacing="0">

<tr>

<td>

<table width="1 0 0%" border="0" cellspacing="0" cellpadding="0">

<tr>

I am looking for a long time thought still looking in the wrong Upload file because I didn't see the upload types of filter code.

But after determining that this file and therefore the balls to continue it.

That is to say no filtering of any file directly you can pass slightly.。

It is not how it.. Editor Version by the original ewebeditor converted to FCKeditor

The background to do security validation FCKeditor use not but often programmers ignore the most important vulnerabilities.。

google keywords: inurl:arti_show. asp? id=

Background address: management/login. asp

Universal password 'or'='or'

The background can directly upload the file