鼎祥多用户在线客服系统 漏洞
鼎祥多用户在线客服系统 漏洞摘自:Link's blog
鼎祥多用户在线客服系统是一款企业级的网站实时交流系统,网站访客只需点击网页中的对话图标,无需安装或者下载任何软件,就能直接和网站客服人员进行即时交流。鼎祥多用户在线客服系统将为企业发掘更多的潜在客户,降低运行成本,提高工作效率,提升客户满意度,是企业进行在线咨询、在线营销、在线客服的有力工具。
修改数据库路径:inc.asp
管理员登陆口:http://你的域名/admin/login.asp
默认管理员账号:admin 密码admin
首页自行修改对应文件
VB源码目录里是客户端的VB源码,下载VB6.0绿色版,然后修改里面的地址,生成就可以了。
鼎祥科技
http://www.68kf.cn
无意间发现。。。其实我在翻aspx代码的时候看到
在zj2.asp:
<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!--#include file="pass.asp" -->
<!--#include file="inc.asp" -->
<%
Response.Buffer = True
Response.ExpiresAbsolute = Now() - 1
Response.Expires = 0
Response.CacheControl = "no-cache"
Response.AddHeader "Pragma", "No-Cache"
fuse=request.cookies("fuse")
fsid=request.querystring("fsid")
id=trim(request.querystring("id"))
password=request.cookies("password")'用户ID
set rs=server.CreateObject("adodb.recordset")
strsql="select * from texts where userid='"&fuse&"' and id="&id&""
嘿嘿之。
在ip.asp里面发现个好玩的:
<%
function ips(ip)
adb = "ip.mdb"
aConnStr = "Provider = Microsoft.Jet.OLEDB.4.0;Data Source = " & Server.MapPath(adb)
Set AConn = Server.CreateObject("ADODB.Connection")
aConn.Open aConnStr
sip=request("ip")
If sip="127.0.0.1" Then sip="192.168.0.1" end if
str1=left(sip,instr(sip,".")-1)
sip=mid(sip,instr(sip,".")+1)
str2=left(sip,instr(sip,".")-1)
sip=mid(sip,instr(sip,".")+1)
str3=left(sip,instr(sip,".")-1)
str4=mid(sip,instr(sip,".")+1)
num=cint(str1)*256*256*256+cint(str2)*256*256+cint(str3)*256+cint(str4)-1
sql="select * from address where ip1 <="&num&" and ip2 >="&num
set rs=aconn.execute(sql)
if not rs.eof then
ips=rs("country")
else
ips="未知地区"
end if
end function
%>
真不知道 记录来干嘛。。而且又没容错 爆数据库出来也不知道下载来干嘛。。
洞洞还是处处都有:
<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="sql.asp" -->
<!--#include file="encodehtml.asp" -->
<!--#include file="inc.asp" -->
<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>客服留言</title>
<link href="style.css" rel="stylesheet" type="text/css">
<script>
function check(form)
{
if (form.names.value=="")
{
alert("\n请输入您的称呼!");
form.names.focus();
return (false);
}
if (form.texts.value=="")
{
alert("\n请输入留言内容!");
form.texts.focus();
return (false);
}
if (form.email.value=="" && form.phone.value=="")
{
alert("\n邮箱和电话请至少填写一个!");
form.email.focus();
return (false);
}
return (true);
}////target="parent.frameC"
</script>
</head>
<%
Response.Buffer = true
Response.Expires = -1
kuse=request.querystring("kuse")
use=request.querystring("use")
set rs=server.CreateObject("adodb.recordset")
strsql="select * from where userid='"&kuse&"' and ='"&use&"' and zxbz=1 "
rs.open strsql,conn,1,1
if not rs.eof then
ywfw=rs("bm")
hyl=rs("hyl")
glbh=rs("glbh")
end if
rs.close
set rs=nothing
set rs=server.CreateObject("adodb.recordset")
strsql="select * from userid where userid='"&kuse&"' order by id desc"
rs.open strsql,conn,3,2
if not rs.eof then
gsjj=rs("gsjj")
webname=rs("webname")
webdz=rs("webdz")
mail=rs("email")
mftel=rs("mftel")
telurl=rs("telurl")
dianhua=rs("dell")
end if
rs.close
set rs=nothing
Function addEntry()
texts=encodehtml(request("texts"))
phone=encodehtml(request("phone"))
email=encodehtml(request("email"))
names=encodehtml(request("names"))
ipp=Request.ServerVariables("REMOTE_ADDR")
set rs=server.CreateObject("adodb.recordset")
strsql="select * from ly "
rs.open strsql,conn,3,3
rs.addnew
rs("userid")=request("kuse")
rs("use")=request("use")
rs("ip")=ipp
rs("texts")=texts
rs("phone")=phone
rs("email")=email
rs("names")=names
rs.update
rs.close
set rs=nothing
response.write("<script language=javascript>alert('留言成功!');</script>")
End Function
Dim a
a = Request("action")
If a="" Then
else
addEntry
End If
conn.close
set conn=nothing
%>
<body leftmargin="0" topmargin="0">
<table width="703" border="0" align="center" cellpadding="0" cellspacing="0" background="images/chat/top.jpg">
<tr>
<td width="19" height="33"> </td>
<td width="499" style="color:#FFFFFF"><strong><%=request("use")%></strong></td>
<td width="169"> </td>
<td width="16"> </td>
</tr>
<tr>
<td height="38"> </td>
<td style="padding-top:10px">给 <strong><%=request("use")%></strong> 留言</td>
<td align="center"><%=request("use")%></td>
<td> </td>
</tr>
</table>
<table width="703" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td width="18" valign="top"><img src="images/chat/leftly.jpg" width="17" height="353"></td>
<td width="485" valign="top" bgcolor="#FFFFFF"><table width="95%" height="24" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td width="7%"> </td>
<td width="93%"><font color="#000000">客服不在线,请留言,我会尽快与您联系。</font></td>
</tr>
</table>
<form name="form2" method="post" action="?action=add">
<table width="91%" height="268" border="0" align="center">
<tr>
<td width="24%" align="center">您的称呼:</td>
<td width="76%"><input name="names" type="text" id="names3" size="30">
<font color="#FF0000">*</font></td>
</tr>
<tr>
<td align="center">您的邮箱:</td>
<td><input name="email" type="text" id="email3" size="30"></td>
</tr>
<tr><input name="use" type="hidden" id="use" value="<%=request("use")%>" >
<input name="kuse" type="hidden" id="kuse" value="<%=request("kuse")%>" >
<td align="center">您的电话:</td>
<td><input name="phone" type="text" id="phone3" size="30"></td>
</tr>
<tr>
<td height="144" align="center" valign="middle">留言内容:</td>
<td><textarea name="texts" cols="30" rows="9" id="textarea4"></textarea>
<font color="#FF0000">*</font></td>
</tr>
<tr>
<td height="31" align="center" valign="top"> </td>
<td><input type="submit" name="button" id="button" value="发表">
<input type="reset" name="button2" id="button2" value="重置"></td>
</tr>
</table>
</form></td>
<td width="15"><img src="images/chat/mly.jpg" width="15" height="353"></td>
<td width="169"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td height="262" background="images/chat/lbg.jpg"><table width="92%" height="0%" border="0" align="center" cellpadding="0" cellspacing="0" bordercolor="#0066CC">
<tr>
<td height="118" align="center"><img src="images/chat/kf.jpg" width="122" height="104"></td>
</tr>
<%if webname<>"" then%>
<tr>
<td height="24" align="center"><strong>
<%response.Write(glbh)%>
</strong></td>
</tr>
<%end if%>
<%if dianhua<>"" then%>
<tr>
<td height="24"> 电话:
<%response.Write(dianhua)%>
</td>
</tr>
<%end if%>
<%if mail<>"" then%>
<tr>
<td height="25"> 邮箱:
<%response.Write("<a href=mailto:"&mail&" class=left>"&mail&"</a>")%>
</td>
</tr>
<%end if%>
<%if ywfw<>"" then%>
<tr>
<td height="26">部门:
<%response.Write(ywfw)%></td>
</tr>
<%end if%>
<tr>
<td height="23" align="center"><a href="<%=webdz%>" target="_blank">
<%response.Write(webdz)%>
</a></td>
</tr>
</table></td>
</tr>
<tr>
<td><img src="images/chat/wc.jpg" width="169" height="30"></td>
</tr>
<tr>
<td height="60" align="center"><%
if mftel=0 then
%>
<a href="http://demo.68kf.cn/" target="_blank"><img src="images/im/reg.jpg" width="136" height="50" border="0" /></a>
<%else%>
<a href="<%=telurl%>" target="_blank"><img src="images/tel.jpg" width="117" height="37" border="0"></a>
<%end if %></td>
</tr>
</table></td>
<td width="16" align="right"><img src="images/chat/right.jpg" width="16" height="353"></td>
</tr>
</table>
<table width="200" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td><img src="images/chat/foot.jpg" width="703" height="50"></td>
</tr>
</table>
</body></html>
以上是book.asp的..不会利用么。。那么跳过。还是无奈。。
在chklogin.asp里面 看看他咋验证的:
<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!--#include file="inc.asp" -->
<!--#include file="inc/md5.asp" -->
<%
Function encodeHTML(ByVal str)
If IsNull(str) Then
encodeHTML = ""
Exit Function
End If
hui=wgzh
str=server.htmlencode(str)
str = Replace(str, ">", ">")
str = Replace(str, "<", "≪")
str = Replace(str, " ", " ")
str = Replace(str, Chr(39), "’")
str = Replace(str, Chr(34),"‘’")
str = Replace(str, Chr(13), "")
str = Replace(str, Chr(10), "<br>")
str=trim(str)
encodeHTML = str
End Function
'========================================
'if request("verify")<>session("jym") then
'response.write("<script>alert('验证码错误!');history.back();")
'response.end
'end if
use=trim(encodeHTML(request.form("gh")))
pass=trim(encodeHTML(request.form("password")))
set rs=server.CreateObject("adodb.recordset")
'strsql="select * from hui where hui='"&hui&"'"
'rs.open strsql,conn,1,3
'if rs.eof then
'rs.addnew
'rs("hui")=hui
'rs.update
'end if
'if rs.recordcount>4 then
'application("fghj")="mnmb"
'end if
'rs.close
strsql="select * from use where password='"&md5(pass)&"' and use='"&use&"' and userid='"&request("zh")&"' "
rs.open strsql,conn,1,3
if rs.eof then
response.write("<script>alert('用户名或密码错误!');history.back()</script>")
response.end
else
rs("zxbz")=0
rs("gjlx")=0
rs("dlnum")=rs("dlnum")+1
rs.update
'application("ivrg")=conm
response.cookies("fuse")=rs("userid")
response.cookies("password")=rs("password")
response.cookies("use")=rs("use")
response.cookies("fsidd")=rs("id")
response.cookies("qx")=rs("qx")
glbh=rs("glbh")
application("kuse")=application("kuse")&rs("userid")&"|"
'response.Redirect("main.asp")
response.redirect("main.asp?fid="&rs("id")&"&fuse="&rs("userid")&"&use="&use&"&glbh="&glbh&"")
end if
rs.close
'==============================================
conn.close
set rs=nothing
set conn=nothing
%>
貌似亲爱的管理员没有过滤好'。。而且。。 假如不是access的话 我们可以构造语句改他密码
对 就是在登陆那里改他密码。。。
还有几个鸡肋的 pass.asp:
<%
if request.cookies("fuse")="" or request.cookies("password")="" or request.cookies("use")="" then
response.redirect("/login.asp")
end if
%>
不知道验证来干嘛。。
好多洞洞 大家去下载一份来试试把 我说错了欢迎来喷~ 毕竟很久没看代码了·
页:
[1]