乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-05-27: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-07-11: 厂商已经主动忽略漏洞,细节向公众公开
rt
版本 世纪风企业网站管理系统 3.6注入方面都过滤了 。 后台验证却很奇葩= =_admin/cms_login.asp
If reqf("submit") = "管理登陆" Then Call nullback(reqf("login_name"), "用户名不能为空!") Call nullback(reqf("login_password"), "密码不能为空!") Call nullback(reqf("login_verifycode"), "验证码不能为空!") If CStr(Session("CheckCode")) <> CStr(Request.Form("login_verifycode")) Then Call infohref("验证码错误!","cms_login.asp") End If Set rs = ado_query("select * from cms_admin where a_enable = 1 and a_name='"&str_safe(request.Form("login_name"))&"' and a_password='"&md5(str_safe(request.Form("login_password")))&"'") If Not rs.EOF Then Response.Cookies("admin_check") = request.Form("login_name") rs.close set rs = nothing response.redirect "cms_welcome.asp" Else rs.close set rs = nothing Call infohref("错误提示:用户名或密码错误,请核对后重新输入!","cms_login.asp") End IfEnd If%>
密码正确就赋予 admin_check username的值。inc_function.asp
'==========获取当前账户相关信息==========If inull(Request.Cookies("admin_check")) Then Response.Redirect("index.asp")End IfSet rs_gap = ado_query("select * from cms_admin where a_name = '"&Request.Cookies("admin_check")&"'")If rs_gap.EOF Then Response.Redirect("index.asp")End Ifadmin_name = rs_gap("a_name")admin_truename = rs_gap("a_truename")admin_penname = rs_gap("a_penname")admin_purview = rs_gap("a_purview")rs_gap.CloseSet rs_gap = Nothing
这个 cookie是能伪造的。赋予admin 或者 cookie注入。这个值是没有经过str_safe过滤的百度个站来试试。。
you konw
未能联系到厂商或者厂商积极拒绝