A critical system vulnerability in UFIDA

Source: Internet
Author: User

A critical system vulnerability in UFIDA

Successful intrusion through an obsolete system and leakage of most of the source code

First, the system has a weak password http://vip.ufida.com.cn/nccsm/HomePage.aspxtest1 123456 there are a large number of weak passwords 123456



System Injection



Get the admin password through injection and log in

Upload shell in the background

Locate the configuration file and connect to the database

Collect employee tables,

You can log on to the UFIDA tkr system by using the account and password you have collected.

You can use the Upload knowledge page for shell upload.



, Audit login source code found that the system has a universal password, the password can be used to log on to any user

 

Protected void btnLogin_Click (object sender, EventArgs e) {string URL = "Default. aspx"; if (! String. isNullOrEmpty (Request. queryString ["previuseurl"]) URL = Server. urlDecode (Request. queryString ["previuseurl"]); string UserName = TextBox1.Text. trim (); string Password = TextBox2.Text. trim (); bool IsSuccessful = false; string Remark = ""; // if (! String. isNullOrEmpty (UserName) & Password = "tkr * 123") {Authority. instance. loginByDomainAccount (UserName); Response. redirect (URL);} else {SEAPersonService PersonService = new SEAPersonService (); PersonInfo psn = new PersonInfo (); if (rdoType1.Checked) {psn = PersonService. loginByDomainAccountWithPassword ("pdomain", UserName, Password);} else {psn = PersonService. loginByUserName (UserName, Password );}
This system involves all the products of Ufida, basically all the source code, but you need to find it yourself


 

Solution:

Improve employees' self-check awareness

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.