梦缘设计企业网站管理系统0day

今天渗透一站点,发现旁站有这个系统果断,马上百度一下 然后下载下来,下一步当然是分析 能挖到0day最好了!

噢耶,因为系统看起来还是比较简单了,很快就在

searchpic.asp

<!--#include file="top.asp"-->

<%
if session("skins")<>"" then
set rstmp=conn.execute("select skin_pic,id from skins where id="&session("skins")&"")
else
set rstmp=conn.execute("select skin_pic from skins where default=true")
end if
show=rstmp(0)
set rstmp=nothing
call myweb
if instr(show,"$show_userlogin$")>0 then
call showuserlogin()
show=replace(show,"$show_userlogin$",show_userlogin)
end if
response.Write show
%><!--#include file="foot.asp"-->
<%
'==================================================
'过程名：showpic
'作 用：显示具体的产品
'参 数：无
'==================================================
sub showpic()
show_pic="<table border='0' width='100%' bgcolor='#EEEEEE' cellspacing='1' cellpadding='3' align='center'><tr bgcolor='#FFFFFF'><td colspan='3'>您的位置:<a href='index.asp'>网站首页</a>→<a href='product.asp'>产品中心</a>→搜索产品</td></tr>"
show_pic=show_pic&"<tr bgcolor='#F3F3F3'><td width='7%'><p align='center'>编号</td><td width='67%'><p align='center'>名称</td><td width='25%'><p align='center'>发布日期</td></tr>"

dim searchpic
searchpic=trim(request.form("searchpic"))
If Len(Trim(Request("page")))=0 Then '返回目标页码的判断
page=1
Else
page=CInt(Trim(Request("page")))
End If
set rs=Server.CreateObject("ADODB.RecordSet")
if searchpic="" then
sql="select * from [pic] order by id desc"
else
sql="select * from [pic] where pictitle like '%"&searchpic&"%' or content like '%"&searchpic&"%' order by id desc"
end if //fuck 噢耶

rs.open sql,conn,1,3
rs.PageSize=20
if rs.eof then
show_pic=show_pic&"<tr bgcolor='#FFFFFF'><td colspan='3'><font color=red>没有您要搜索的产品</font></td></tr>"
end if

if not rs.eof then
rs.AbsolutePage=page
for k=1 to rs.PageSize
.......//

post形式注入

表 admin

字段分别为 myweb_name myweb_pwd

默认后台Admin_login.asp

掉进牛逼死（nbsi）果断给力

如图:

接着继续分析一下后台

admin_login.asp

<%if request("action")="check" then
dim name,pwd,code
dim GetCode,valicode
Code=trim(request.form("Code"))
GetCode=trim(request("Code"))
valicode=trim(session("Code"))
name=trim(request.form("name"))
pwd=trim(request.form("pwd"))
if not isnumeric(Code) then
response.write"<script>alert(""验证码格式错误！"");location.href=""javascript:history.go(-1)"";</script>"
response.end
end if
if name<>"" and instr(name,chr(39))>0 or instr(name,chr(34))>0 then
response.write"<script>alert(""用户名非法！"");location.href=""javascript:history.go(-1)"";</script>"
response.end
end if
if GetCode<>valicode then
response.write"<script>alert(""验证码错误！"");location.href=""javascript:history.go(-1)"";</script>"
response.end
end if
set rs=conn.execute("select * from admin where myweb_name='"&name&"' and myweb_pwd='"&md5(pwd)&"'")
if rs.eof then
response.write"<script>alert(""用户名或者密码错误！"");location.href=""javascript:history.go(-1)"";</script>"
else
session("admin")=name / /session 验证
response.redirect"admin_index.asp"
rs.close
end if
end if
%>

接着看了一下 admin_index.asp

<%if session("admin")="" then （当session为空的时候来到index.asp 反之就来到管理页面）
response.redirect"index.asp"
response.end
end if
%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>后台管理</title>
</head>
<frameset rows="*" framespacing="0" frameborder="0" border="false" id="frame" scrolling="yes">
  <frameset cols="181,*" framespacing="0" frameborder="0" border="false" id="frame" scrolling="yes">
  <frame name="left" scrolling="auto" marginwidth="0" marginheight="0" src="admin_index_left.asp" target="main">
  <frameset framespacing="0" border="false" rows="35,*" frameborder="0" scrolling="yes">
    <frame name="top" scrolling="no" src="admin_index_top.asp">
    <frame name="main" scrolling="auto" src="admin_index_main.asp">
  </frameset>
</frameset>
</frameset>
<noframes>
  <body leftmargin="2" topmargin="0" marginwidth="0" marginheight="0">
  <p>你的浏览器版本过低！！！本系统要求IE5及以上版本才能使用本系统。</p>
  </body>
</noframes>
</html>

随即新建123.asp

如图: