Cloud-based enterprise website construction system kills oday and repairs

Non-Editor: It was released a year ago. It's not suitable to say 0-day.

Author: encirclement and suppression
Source: evil decimal
Why is it kill?
Because although the system version has improved a lot, the vulnerability still exists and is obvious.
It makes me wait for a while ..

It's boring to go to the Code website next program analysis and Analysis
Now we can download a large number of website building systems in the cloud.
First, you can see its background login. asp file .. I think it hurts...

If request. Form ("submit") <> "" then
If request. Form ("userid") = "" or request. Form ("password") = "" then
Response. Write ("<script language = javascript> alert ('user name or password cannot be blank! '); History. back (); </script> ")
Response. end
End if

Set rs1_conn.exe cute ("select * from ugly where uid = '" & trim (request. form ("userid") & "'and pwd ='" & trim (request. form ("password "))&"'")
If rs. eof then
Response. Write ("<script language = javascript> alert ('user name or password verification failed! '); History. back (); </script> ")
Response. End ()
Else
If rs ("IsSuper") = 1 then
Session (strSession & "uid") = "s"
Session (strSession & "uidn") = rs ("id ")
Else
Session (strSession & "uid") = "n"
Session (strSession & "uidn") = rs ("id ")
End if
Response. Redirect ("index. asp ")
Response. End ()
End if
Rs. close
Set rs = nothing
End if

We didn't use the trim function to filter spaces. In this way, the data transmitted from the client is directly imported into the database for query. In this way, we can log on to the database using 'or' = 'or '.

Really .. When is there such a situation...

Let's take a look at the files uploaded after entering the background ..

Some code:

<Title> upload a file </title>
<Link href = "css.css" rel = "stylesheet" type = "text/css">
<Meta http-equiv = "Content-Type" content = "text/html; charset = UTF-8">
</Head>
<Body bgcolor = "# eeeeee" text = "#000000" leftmargin = "0" topmargin = "0" marginwidth = "0" marginheight = "0">
<Form enctype = "multipart/form-data" method = "post" action = "infopict. asp? Fm = <% = request. QueryString ("fm") %> & em = <% = request. QueryString ("em") %> "name =" form1 ">
<Table width = "100%" border = "0" cellpadding = "0" cellspacing = "0">
<Tr>
<Td>
<Table width = "100%" border = "0" cellspacing = "0" cellpadding = "0">
<Tr>

I have been searching for a long time and thought I still found the wrong file to upload because I didn't see the filtering code of the upload type ..
However, after confirmation, this file will continue to work...

That is to say, if no files are filtered, they can be directly uploaded ..

It's really not .. The editor version is changed from ewebeditor to FCKeditor.
Security verification is performed in the background. FCKeditor cannot take advantage of this vulnerability, but programmers often ignore the most important vulnerability ..

Google Keyword: inurl: arti_show.asp? Id =
Background address: management/login. asp
Universal password login 'or' = 'or'
Files can be directly uploaded in the background