Background Authentication Bypass Vulnerability in cookies

By: poruin

In the previous article 《The shortest background universal login password I found.It is mentioned in "xor" to bypass login is a system that does not filter data (to bypass but does not need to filter data, the SQL statements that need to be verified cannot be checked separately ), on the background page, the authentication file is used to check whether the user has logged on, and the corresponding authentication data is left in the cookie. If the cookie does not match, the login page is returned, prevent malicious users from accessing the background page without logging in. However, if the file does not filter accepted variables, it may still be bypassed.

Here is the core code of a common online authentication file:

<! -- # Include file = conn. asp -->
<%
Dim name, pass
Name = Request. cookies ("user ")
Pass = Request. cookies ("pass ")

SQL = "select * from admin where adminpass =" & Pass & "and adminUser =" & name &""
Rs. open SQL, conn, 1, 1
If rs. bof and rs. eof then
Response. Redirect ("index. asp ")
End if

%>

After logging on to the system, the system will leave the encrypted user name and password in the user's cookie, and then each access will be confirmed with this file once, you can see that the SQL query is not filtered after the user accepts it, so the bypass method is very simple.

See:

This vulnerability has been around for a long time, but there are still many systems with vulnerabilities, and there is no shortage of some famous whole-site systems. The best way to fix this vulnerability is to use session verification.