Qwbm: the deep mountain walker travel service management system allows users to bypass logon and obtain background permissions.
0x01 code Auditing
Let's first look at admin/qwbm_index.asp
<%@LaNGUaGE="VBSCRIPT" CODEPaGE="936"%><!--#include file="qwbm_conn.asp"--><!--#include file="qwbm_cheack.asp"--><META http-equiv=Content-Type content="text/html; charset=gb2312">
Similarly, admin/qwbm_cheack.asp is the permission check file.
<% If request. cookies ("" & qwbmcms2 & "username") = "" thenresponse. write "You are not authorized to view the file" response. endend if %>
In the file, the program only checks the qwbmcms2 & "username" cookie. If isset, it will log on successfully.
However, unlike WooYun: Qwbm's deep mountain walker message board, which allows attackers to bypass logon and obtain background permissions, The qwbmcms2 variable is unknown.
Add response. write qwbmcms2 before response. end to output the content of the qwbmcms2 variable.
However, when we access admin/qwbm_cheack.asp, we find that the content of the qwbmcms2 variable is empty, so we construct a cookie:
username=admin
After modifying the cookie, you can successfully log on
0x02 modify & Bypass
Solution:
Change login verification policies to enhance security awareness