Web site security can not be ignored: a charging JSP site to crack the process

js| Security | process | cracking

One day on the internet accidentally opened a website, there is plmm and you video chat, but to mobile phone registration fees. Just want to find if there is a loophole can not spend money on the chat with MM. First find there is no SQL loophole can be drilled, open a page with parameters, http://www.xxx.yyy/abc.jsp?agentid=111116, the back of the parameters to try to http://www.xxx.yyy/abc.jsp? agentid=111116 ' Result:

Servlet Exception
Java.lang.NumberFormatException:For input string: "111116 '"
At Java.lang.NumberFormatException.forInputString (numberformatexception.java:48)
At Java.lang.Integer.parseInt (integer.java:477)
At Java.lang.Integer.parseInt (integer.java:518)
At _agentdetail__jsp._jspservice (d:\timework\timeweb\udate\agentdetail.jsp:12)
At Com.caucho.jsp.JavaPage.service (javapage.java:75)
At Com.caucho.jsp.Page.subservice (page.java:506)
At Com.caucho.server.http.FilterChainPage.doFilter (filterchainpage.java:182)
At Com.caucho.server.http.Invocation.service (invocation.java:315)
At Com.caucho.server.http.HttpRequest.handleRequest (httprequest.java:246)
At Com.caucho.server.http.HttpRequest.handleConnection (httprequest.java:163)
At Com.caucho.server.TcpConnection.run (tcpconnection.java:139)
At Java.lang.Thread.run (thread.java:534)

It seems to be converted to a number of strings to deal with, here seems to be no, and then continue to look for, registration and login have tried, useless, and then accidentally found a place can upload photos, you can study, the result of luck, passed a JSP file up, incredibly no hint error! Then smooth by the path of the picture found the path of the JSP file, the results try to visit, all normal
OK, God help me too! Just write a JSP file that accesses the directories and files on your hard disk. Passed up, so through the JSP file to get the site's physical path, and write a view of the contents of the file JSP, passed up, this hard disk on the things can be seen clearly, to want to use money can log in, but also have to find a database to do, Look inside the JSP code, do not see what the hall, are used JavaBean write, is estimated that the operation of the database are encapsulated, it seems that from the JSP file is hopeless, to see what the web-inf below, Web.xml looked, no use, look at classes inside, there is a name called Campus.properties file, open Look, the Dream server IP, port, sa password is inside

#campus. Properties--Thu June 18:23:20 CST 2004
#Thu 18:23:20 CST 2004
dbconnectiondefaultpool.minconnections=1000
Mail.domain=localhost
dbconnectiondefaultpool.server=jdbc\:jtds\:sqlserver\://192.168.1.3\:1433/xxx;charset\=gb2312
mail.encoding=gb2312
Infor. typemorepath=typemorelist.jsp
Infor. Titime=yy-m-d
Infor. Tilistr=<font size\=2>&\ #8226;</font>
sxhcrypt1=426ce28d53728257
Infor. msgmorelink=
Infor. TIPATTERN=T[M-D]
dbsearchindexer.lastindexed=993035225847
Documentoption2=false
Infor. Css=a3
Dbconnectiondefaultpool.logpath=d\:\\work\\web\\xxx\\web-inf\\campusdblog.log
Infor. typeviewpath=typeview.jsp
Dbconnectiondefaultpool.username=sa
Infor. msgmorepath=msgmorelist.jsp
Path=d\:\\work\\web\\udate\\web-inf\\classes\\campus.properties
Setup=true
dbconnectiondefaultpool.connectiontimeout=0.002
Mail.smtpport=25
Mail.tempdir=d\:\\myproject\\xerinfor\\defaultroot\\files\\mailtmp
Campushome=d\:\\work\\web\\udate
dbconnectiondefaultpool.maxconnections=3000
Infor. Tiimgstr=
Mail.smtphost=localhost
Dbconnectiondefaultpool.driver=net.sourceforge.jtds.jdbc.driver
Infor. imgpath=msglist.jsp
Infor. msgviewpath=msgview.jsp
Dbconnectiondefaultpool.password=xxxxxxxxxxx
(The above key areas have been changed)

With these, haha, everything has been solved! Immediately write a JSP query what the database inside the table, there is a _user table, estimate is the user table, take a few data to try, sure enough ....

Then it is good to do, in order not to lead to suspicion and let innocent people pay for me, so still have to register an account, but not renew
Then update your mobile phone number to a nonexistent number, and then find the point, and update it to 1 million.
Haha, everything is done! Log in and try, become rich yourself!!! Because do not want to cause unnecessary trouble with the website, still do not intend to publish this website to come out, brothers and sisters are forgiven!

This shows that the security of the site is very important, especially the site, if not pay attention to the light to let others free visit, heavy all the data over, imagine if the implementation of a delete from _user, the loss of this site will be how big? I have not noticed this kind of detail when I write code before, after this time, I think I must pay attention to these problems.