For details, add the use and pass Parameters submitted from the outside to the admin table without the permission verified by the music news system mofei_admin_save.asp.
Proof of vulnerability:
<! -- # Include file = "conn. asp" -->
<! -- # Include file = "md5.asp" -->
<%
Use2 = request. form ("use ")
Pass2 = request. form ("pass ")
Pass2 = md5 (pass2)
If use2 = "" or pass2 = "" then // determine whether the user name or password is empty
%>
<P> </p>
<P> </p>
<P> </p>
<Table border = "0" cellpadding = "0" cellspacing = "0" width = "600" align = "center" bgcolor = "# FFFFFF">
<Tr>
<Td height = "25" background = "mofeiimg/login_bg.gif">
<P align = "center"> <B> <font size = "3" color = "# FFFF00">: Jile No. 2 Middle School
: Error detected </font> </B> </td>
</Tr>
<Tr>
<Td height = "30">
Please <a href = "javascript: history. go (-1)"> back up </a> to fill in the complete information!
</Td>
</Tr>
<Tr>
<Td height = "30" bgcolor = "# F9F9F9">
<font color = "# FF0000"> your username and password may be blank! </Font>
</Td>
</Tr>
<Tr>
<Td height = "30">
</Td>
</Tr>
</Table>
<%
Else
Set rs = Server. CreateObject ("ADODB. Recordset") // www.2cto.com
SQL = "select * from admin"
Rs. open SQL, conn, 1, 3
Rs ("usename") = use2
Rs ("password") = pass2
Rs. update
Rs. close
Response. redirect ("mofei_admin_edit.asp ")
End if %>
Solution:
Add session verification to the file header
<% If not session ("mofeicheck") = "true" then
Response. redirect ("mofei_login.asp") %>
From Yu Ren @ wooyun