影响版本:V1.7静态版
官方网站:

漏洞类型:设计缺陷
漏洞描述:风神新闻管理静态版1.7存在多处漏洞。

#1.1
后台验证文件 wwwroot/admin/islogin.asp

====================================================================================
<%
if session("admin")="" then
response.Write("<br><br><div align=center>您还没有登录或操作超时请先<a href=login.asp

target=_top>登录</a>.</div>")
response.End()
end if
if instr(request.servervariables("http_referer"),"http://"&request.servervariables("http_host") )<1

then
response.write "<br><br><div align=center>禁止从外部访问管理后台</div>"
response.End()
end if
%>

====================================================================================
是用session验证 没办法客户端欺骗 漏洞与验证文件无关.


==================================================================================
#1.1 wwwroot/admin/list.asp

<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!--#include file="admin_conn.asp"--> //注意 没包含islogin.asp

<html>
<head>
<LINK href="admin_Css.css" type=text/css rel=stylesheet>

<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>修改信息列表</title>

<style type="text/css">
<!--
.STYLE1 {
font-size: 14px;
color: #0000FF;
font-weight: bold;
}
-->
</style>
</head>


<body>
<div>
<p><br>
<span>管理首页</span></p>
<table cellspacing="1" cellpadding="0">
<tr>
<td colspan="2"><div>服务器有关参数</div></td>
</tr>

<tr>
<td><div> &nbsp;服务器名</div>
<div></div></td>
<td>&nbsp;<%=Request.ServerVariables("SERVER_NAME")%></td>
</tr>
<tr>
<td>&nbsp;服务器IP</td>
<td>&nbsp;<%=Request.ServerVariables("LOCAL_ADDR")%></td>
</tr>
<tr>
<td>&nbsp;服务器端口</td>
<td>&nbsp;<%=Request.ServerVariables("SERVER_PORT")%></td>
</tr>
<tr>
<td>&nbsp;服务器时间</td>
<td>&nbsp;<%=now%></td>
</tr>
<tr>
<td>&nbsp;IIS版本</td>
<td>&nbsp;<%=Request.ServerVariables("SERVER_SOFTWARE")%></td>
</tr>
<tr>
<td>&nbsp;脚本超时时间</td>
<td>&nbsp;<%=Server.ScriptTimeout%> 秒</td>
</tr>
<tr>
<td>&nbsp;服务器CPU数量</td>
<td>&nbsp;<%=Request.ServerVariables("NUMBER_OF_PROCESSORS")%>个</td>
</tr>
<tr>
<td>&nbsp;服务器解译引擎</td>
<td>&nbsp;<%=ScriptEngine & "http://www.2cto.com/"& ScriptEngineMajorVersion

&"."&ScriptEngineMinorVersion&"."& ScriptEngineBuildVersion %></td>
</tr>
<tr>
<td>&nbsp;服务器操作系统</td>
<td>&nbsp;<%=Request.ServerVariables("OS")%></td>
</tr>
<tr>
<td>&nbsp;FSO读写</td> //以下省略无关紧要的代码
==================================================================================


#1.2 wwwroot/admin/dir.asp

<!--#include file="dir.inc.asp"--> //dir.inc.asp内容请看#1.3
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=gb2312"> //注意 也没包含isiogin.asp
<html>
<title>信息管理目录</title>
<link href="style.css" type="text/css">
<head>


<SCRIPT language="javascript1.2">
function showsubmenu(sid)
{
whichEl = eval("submenu" + sid);
if (whichEl.style.display == "none")
{
eval("submenu" + sid + ".style.display="";");
}
else
{
eval("submenu" + sid + ".style.display="none";");
}
}
</SCRIPT>
</head>
<BODY bgcolor="#799AE1" leftmargin="0" topmargin="0">
<div align=center>
<table cellpadding="0" cellspacing="0" >
<tr>
<td valign="top">
<table cellpadding="0" cellspacing="0">
<tr>
<td valign="bottom">
<img src="images/title.gif">
</td>
</tr>
</table>
<table cellpadding="0" cellspacing="0">
<tr>
<td

onMouseOut="this.className=menu_title;" background="images/title_bg_quit.gif">
<div>&nbsp;&nbsp;<a href="list.asp" target="mainFrame"><b>管理首页</b></a>
| <a href="loginout.asp" target="_top"> <b>退出</b></a> </div>
</td>
</tr>
</table>
&nbsp;
<%
//管理菜单
call showMenu()
%>
</td>
</tr>
</table>
<p> </div>
</BODY>
</html>
==================================================================================

#1.3 wwwroot/admin/dir.inc.asp

<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=gb2312">
<%
//预定义
dim menu(3,9),j,tmpmenu,menuname,menurl


menu(0,0)="信息管理"
menu(0,1)="<a href=ArticleAddSelClass.asp target=mainFrame>发布信息</a> | <a

href=ArticleModSelClass.asp target=mainFrame>修改信息</a>"
menu(0,2)="<a href=SearchArticle.asp target=mainFrame>查找信息</a> | <a href=TjArticle.asp

target=mainFrame>推荐信息</a>"

menu(1,0)="FSO生成htm"
menu(1,1)="<a href=QtMake.asp target=mainFrame>生成前台文件 </a> "
menu(1,2)="<a href=HtmlMake.asp target=mainFrame>重新批量生成htm</a> "

menu(2,0)="综合管理"
menu(2,1)="<a href=ClassManage.asp target=mainFrame>类别管理</a>&nbsp; | &nbsp;<a href=SuperUser.asp

target=mainFrame>用户管理</a>"
menu(2,2)="<a href=SpaceSize.asp target=mainFrame>空间占用</a> &nbsp;| &nbsp;<a href=SysSet.asp

target=mainFrame>系统设置</a>"
menu(2,3)="<a href=DataManage.asp target=mainFrame>数据库维护</a>| &nbsp;<a href=moban.asp

target=mainFrame>模板管理</a>"