Mengyuan designs an enterprise website management system 0-day and fixes it

Because the system looks simple,Soon

Searchpic. asp

<! -- # Include file = "top. asp" -->

<%
If session ("skins") <> "then
Set rstmp1_conn.exe cute ("select skin_pic, id from skins where id =" & session ("skins ")&"")
Else
Set rstmp1_conn.exe cute ("select skin_pic from skins where default = true ")
End if
Show = rstmp (0)
Set rstmp = nothing
Call myweb
If instr (show, "$ show_userlogin $")> 0 then
Call showuserlogin ()
Show = replace (show, "$ show_userlogin $", show_userlogin)
End if
Response. Write show
%> <! -- # Include file = "foot. asp" -->
<%
========================================================== ============
Process name: showpic
For use: display specific products
Parameter count: None
========================================================== ============
Sub showpic ()
Show_pic = "<table border = 0 width = 100% bgcolor = # EEEEEE cellspacing = 1 cellpadding = 3 align = center> <tr bgcolor = # FFFFFF> <td colspan = 3> your location: <a href = index. asp> homepage </a> → <a href = product. asp> product center </a> → search for products </td> </tr>"
Show_pic = show_pic & "<tr bgcolor = # F3F3F3> <td width = 7%> <p align = center> NO. </td> <td width = 67%> <p align = center> name </td> <td width = 25%> <p align = center> release date </td> </tr>"

Dim searchpic
Searchpic = trim (request. form ("searchpic "))
If Len (Trim (Request ("page") = 0 Then returns the judgment of the target page number
Page = 1
Else
Page = CInt (Trim (Request ("page ")))
End If
Set rs = Server. CreateObject ("ADODB. RecordSet ")
If searchpic = "" then
SQL = "select * from [pic] order by id desc"
Else
SQL = "select * from [pic] where pictitle like %" & searchpic & "% or content like %" & searchpic & "% order by id desc"
End if // fuck example

Rs. open SQL, conn, 1, 3
Rs. PageSize = 20
If rs. eof then
Show_pic = show_pic & "<tr bgcolor = # FFFFFF> <td colspan = 3> <font color = red> no products to search for </font> </td> </ tr>"
End if

If not rs. eof then
Rs. AbsolutePage = page
For k = 1 to rs. PageSize
.......//

 

PostForm Injection

TableAdmin

The fields areMyweb_name myweb_pwd

Default backgroundAdmin_login.asp

To death (Nbsi)Decisive

:

 

Continue to analyze the background

Admin_login.asp

 

<% If request ("action") = "check" then
Dim name, pwd, code
Dim GetCode, valicode
Code = trim (request. form ("Code "))
GetCode = trim (request ("Code "))
Valicode = trim (session ("Code "))
Name = trim (request. form ("name "))
Pwd = trim (request. form ("pwd "))
If not isnumeric (Code) then
Response. write "<script> alert (" "Incorrect verification code format! ""); Location. href = "" javascript: history. go (-1) ""; </script>"
Response. end
End if
If name <> "" and instr (name, chr (39)> 0 or instr (name, chr (34)> 0 then
Response. write "<script> alert (" "the user name is invalid! ""); Location. href = "" javascript: history. go (-1) ""; </script>"
Response. end
End if
If GetCode <> valicode then
Response. write "<script> alert (" "Verification code error! ""); Location. href = "" javascript: history. go (-1) ""; </script>"
Response. end
End if
Set rs1_conn.exe cute ("select * from admin where myweb_name =" & name & "and myweb_pwd =" & md5 (pwd )&"")
If rs. eof then
Response. write "<script> alert (" "incorrect user name or password! ""); Location. href = "" javascript: history. go (-1) ""; </script>"
Else
Session ("admin") = name // session Verification
Response. redirect "admin_index.asp"
Rs. close
End if
End if
%>

Then I looked at it.Admin_index.asp

<% If session ("admin") = "" then (when the session is empty, index. asp is displayed. Otherwise, the management page is displayed)
Response. redirect "index. asp"
Response. end
End if
%>
<Html>
<Head>
<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312">
<Title> background management </title>
</Head>
<Frameset rows = "*" framespacing = "0" frameborder = "0" border = "false" id = "frame" scrolling = "yes">
<Frameset cols = "181, *" framespacing = "0" frameborder = "0" border = "false" id = "frame" scrolling = "yes">
<Frame name = "left" scrolling = "auto" marginwidth = "0" marginheight = "0" src = "admin_index_left.asp" target = "main">
<Frameset framespacing = "0" border = "false" rows = "35, *" frameborder = "0" scrolling = "yes">
<Frame name = "top" scrolling = "no" src = "admin_index_top.asp">
<Frame name = "main" scrolling = "auto" src = "admin_index_main.asp">
</Frameset>
</Frameset>
</Frameset>
<Noframes>
<Body leftmargin = "2" topmargin = "0" marginwidth = "0" marginheight = "0">
<P> your browser version is too low !!! This system requires IE5 and later versions to use this system. </P>
</Body>
</Noframes>
</Html>

Create123. asp

:

Then access123. aspCome againAdmin_index.asp,

Test successful! Decisive

The background is very powerful.WebshellNo! Today, it's not easy for me to get a new starter to the road. I hope you can give me some advice! Thank you !! Thank you! Please contact us for lust!

BY:Dark Moon (Darkmoon)