Analysis of the source code vulnerability of the website navigation that cannot be found online

Source: Internet
Author: User

The original works of are reprinted by the red black guest alliance.

This article can communicate with the author here: Tid = 94372

A friend of mine on the Internet gave me a website navigation website and asked me to help him publicize the website. I think his website is powerful and has many more practical functions than websites such as hao123, I think this program should be safe. After a friend package the program for me, I checked it and found some super-low-level vulnerabilities. Let's look at it.

Login verification vulnerability. This program has a user login location where "or = or vulnerability occurs due to poor logon. Let's look at the source code.

The logon address isHttp://'s take a look at his Processing Form file login. asp code.

<% Dim pw, vtime, myname // defines three variables
Myname = trim (request ("username") // The account sent from the client is accepted through the request object. The programmer is not strict in writing and does not define the method to accept it, only spaces are filtered.
Pw = md5 (trim (request ("pw"), 16) // This code is the same and only filters Spaces
Vtime = request ("vtime ")
Set rs = server. createobject ("adodb. recordset ")
Rs. open "select * from my_user where username =" & myname & "and password =" & pw & "", conn, 1, 3

// Directly query the database

The following are omitted ------------------

I will add comments to the end of this code for your convenience.

After reading the above code, you can directly use or = or to log in.

This is a vulnerability. There is a new site login on the homepage. This is the page for submitting a user's new site. There is a cross-site vulnerability on this page, we can use this vulnerability in the background to obtain information such as cookies and even Trojans !!!

Let's take a look at the code on this page.

The address isHttp://

Process the file as a url. asp file

Set rs = server. createobject ("adodb. recordset ")
Login_UrlNmae = Request. Form ("webname ")
Login_Url = Request. Form ("weburl ")
Login_Class = Request. Form ("webtype ")
Alexa = Request. Form ("alexa ")
Login_Email = Request. Form ("email ")
Qq = Request. Form ("qq ")
Friend = Request. Form ("friend ")
Login_Menu = Request. Form ("Login_Menu ")
If Login_Menu = "Add" then
Rs. open "select * from Login where Login_Url =" & Login_Url & "", conn, 1, 3
If not rs. eof and not rs. bof then
Response. Write ("<script language = javascript> alert (your site has already submitted, please do not submit it again !); This. location. href =/; </script> ")
Response. End ()
End if
Rs. close
Rs. open "select * from Login", conn, 1, 3
Rs. addnew
Rs ("Login_UrlNmae") = Login_UrlNmae
Rs ("Login_Url") = Login_Url
Rs ("Login_Class") = Login_Class
Rs ("alexa") = alexa
Rs ("Login_Email") = Login_Email
Rs ("qq") = qq
Rs ("friend") = friend

From the code above, we can see that the above data is directly inserted into the database for query without any filtering.

There is a netizen leaving a message on the home page, which has a Cross-Site vulnerability.


The code is

Message = trim (request ("requireddescription "))
If Message = "" then
Response. write "<SCRIPT language = JavaScript> alert (Please provide your comments and suggestions on nihao188 website navigation !); "
Response. write "javascript: location. replace (/) </SCRIPT>"

Set rsAdd = Server. CreateObject ("ADODB. Recordset ")
SQL = "select * from Message"
RsAdd. open SQL, conn, 1, 3
RsAdd. addnew
RsAdd ("Message") = Message
RsAdd ("date") = now ()
RsAdd. update
RsAdd. close
Response. write "<SCRIPT language = JavaScript> alert (Your message has been submitted! Thank you for your support !); "
Response. write "javascript: location. replace (/) </SCRIPT>"
Response. end

Only spaces are filtered !!!

Therefore, the program security is still very problematic.

Finally, I publicized the website.


2009 the most popular Web site home, web site navigation, web site Daquan, practical web site exhausted

For your support, Please repost this article with a clear blog link:Http://

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.