Author: technology creates freedom (real name: Kang Jian)
QQ: 330950407 MSN: htlaeh@hotmail.com
Today, I browsed a post on the service forum of the dynamic and easy Article Management System (dynamic and easy Forum). I suddenly saw a Post saying that the dynamic 3.51 website management system has vulnerabilities! This vulnerability allows any member to view any paid content on the website! For this reason, I studied the problem and finally found out how to fill in the vulnerability!
I. Paid articles use the "tell friends" function to crack Vulnerabilities
Open the sendmail. asp file in the "power 3.51" Directory (back up the file before modification), and find the following code (at the end of the file, it is generally in line 155th until the end:
Mailbody = mailbody & "-- & nbsp; Release Date:" & rs ("UpdateTime") & "<br>"
Mailbody = mailbody & "-- & nbsp;" & rs ("title") & "<br>"
Mailbody = mailbody & "& rs (" content ")&""
Mailbody = mailbody & "</TD> </TR> </TBODY> </TABLE>"
Mailbody = mailbody & "<center> <a href =" & SiteUrl & ">" & SiteName & "</a>"
End sub
%>
Replace:
Mailbody = mailbody & "-- & nbsp; Release Date:" & rs ("UpdateTime") & "<br>"
Mailbody = mailbody & "-- & nbsp; article title:" & rs ("title") & "<br>"
Mailbody = mailbody & "-- & nbsp; Article address (Please copy it to the IE address bar to open it. If you cannot access it, add 1, 2, or 3 after Article_Show, or contact your friends !) : Http://free.ptidc.com/flyue/Article_Show.asp? ArticleID = "& ArticleID &" <br>"
Mailbody = mailbody & "-- & nbsp;" & SiteName & "<br>"
Mailbody = mailbody & "</TD> </TR> </TBODY> </TABLE>"
End sub
%>
The http://free.ptidc.com/flyue/ must be changed to the index of your power 3.51 management system. the address of the asp file. for example, your website access address is index. asp, you should change http://free.ptidc.com/flyue/in the above Code to (do not add other characters before and after !)
After this modification, only the article address and no article content are included in the emails sent to friends when "tell friends" is performed, this solves the vulnerability that non-paid members can use "tell friends" to send paid articles to their own mailboxes and view the complete content of paid articles in their mailboxes. However, this also leaves the following side effects: ordinary members send common articles or paid members send Common/paid articles to friends, all of which can only display the article address, and this address does not necessarily use the template used to access the article, instead, use the same template! I think this side effect is not very relevant, and sometimes it is good! ^-^, Because there are not many people who used the "tell friends" function, and after it is modified to the present, A friend who receives an email cannot read an article directly in the email address, but can only access the website. Can this increase the access volume of our website? ^-^
Ii. Charge Article cracking vulnerability plugging
Open the User_ArticleShow.asp file in the power 3.51 directory (back up the file before modification !), Find the following code:
<% = Rs ("Content") %>
Replace:
<%
If PurviewChecked = True then
Response. write "<font>" & rs ("Content") & "</font>"
Else
Response. write "<font color = red> <strong> you are not authorized to view this software !! </Strong> </font>"
End if
%>
Save the file and upload it online!
3. Install paid software to crack Vulnerabilities
Open the User_SoftShow.asp file in the power 3.51 directory (back up the file before modification !), Search for the following code. (If you cannot find the code in the editor, manually search for it. Generally, the code is in line 226th !) :
Response. write "1: & nbsp; <a href =" & rs ("DownloadUrl1") & "target = _ blank>" & rs ("DownloadUrl1 ") & "</a> <br>"
Then I see:
Response. write "1: & nbsp; <a href =" & rs ("DownloadUrl1") & "target = _ blank>" & rs ("DownloadUrl1 ") & "</a> <br>"
Response. write "2: & nbsp; <a href =" & rs ("DownloadUrl2") & "target = _ blank>" & rs ("DownloadUrl2 ") & "</a> <br>"
Response. write "3: & nbsp; <a href =" & rs ("DownloadUrl3") & "target = _ blank>" & rs ("DownloadUrl3 ") & "</a> <br>"
Response. write "4: & nbsp; <a href =" & rs ("DownloadUrl4") & "target = _ blank>" & rs ("DownloadUrl4 ") & "</a>"
What about it? Select all of them! ^-^
After selection, replace them with the following:
If PurviewChecked = True then
Response. write "1: & nbsp; <a href =" & rs ("DownloadUrl1") & "target = _ blank>" & rs ("DownloadUrl1 ") & "</a> <br>"
Response. write "2: & nbsp; <a href =" & rs ("DownloadUrl2") & "target = _ blank>" & rs ("DownloadUrl2 ") & "</a> <br>"
Response. write "3: & nbsp; <a href =" & rs ("DownloadUrl3") & "target = _ blank>" & rs ("DownloadUrl3 ") & "</a> <br>"
Response. write "4: & nbsp; <a href =" & rs ("DownloadUrl4") & "target = _ blank>" & rs ("DownloadUrl4 ") & "</a>"
Else
Response. write "<font color = red> <strong> you are not authorized to view this software !! </Strong> </font>"
End if
Save the File> upload it to the Internet!
Do you see the differences between the modified and modified code? In fact, if the if statement is used to determine whether the Members who access the page have the permission to view the software, if the website administrator or the software owner is added, the software is displayed, if not, the message "You are not authorized to view this software!" is displayed !! ", In this case, those who want to peek at the paid software through the vulnerability can only see the red letter" You have no permission to view this software !! "La! ^-^
My website has been modified and tested successfully since flying over happy home! If you are interested, you can go to my website to test