【漏洞】梦缘设计企业网站管理系统0day

searchpic.asp：

<!--#include file="top.asp"-->

<%
if session("skins")<>"" then
set rstmp=conn.execute("select skin_pic,id from skins where id="&session("skins")&"")
else
set rstmp=conn.execute("select skin_pic from skins where default=true")
end if
show=rstmp(0)
set rstmp=nothing
    call myweb
if instr(show,"$show_userlogin$")>0 then
call showuserlogin()
show=replace(show,"$show_userlogin$",show_userlogin)
end if
response.Write show
%><!--#include file="foot.asp"-->
<%
'==================================================
'过程名：showpic
'作  用：显示具体的产品
'参  数：无
'==================================================
sub showpic()
show_pic="<table border='0' width='100%' bgcolor='#EEEEEE' cellspacing='1' cellpadding='3' align='center'><tr bgcolor='#FFFFFF'><td  colspan='3'>您的位置:<a href='index.asp'>网站首页</a>→<a href='product.asp'>产品中心</a>→搜索产品</td></tr>"
show_pic=show_pic&"<tr bgcolor='#F3F3F3'><td width='7%'><p align='center'>编号</td><td width='67%'><p align='center'>名称</td><td width='25%'><p align='center'>发布日期</td></tr>"

dim searchpic
searchpic=trim(request.form("searchpic"))
If Len(Trim(Request("page")))=0 Then  '返回目标页码的判断
page=1
Else
page=CInt(Trim(Request("page")))
End If
set rs=Server.CreateObject("ADODB.RecordSet")
  if searchpic="" then
  sql="select * from [pic]  order by id desc"
  else
  sql="select * from [pic] where  pictitle  like '%"&searchpic&"%' or content like '%"&searchpic&"%'  order by id desc"
    end if //fuck 噢耶
 
rs.open sql,conn,1,3
rs.PageSize=20
if rs.eof then
show_pic=show_pic&"<tr bgcolor='#FFFFFF'><td  colspan='3'><font color=red>没有您要搜索的产品</font></td></tr>"
end if

if not rs.eof then
  rs.AbsolutePage=page
    for k=1 to rs.PageSize
.......//

admin_login.asp：

<%if request("action")="check" then
dim name,pwd,code
dim GetCode,valicode
Code=trim(request.form("Code"))
GetCode=trim(request("Code"))
valicode=trim(session("Code"))
name=trim(request.form("name"))
pwd=trim(request.form("pwd"))
if not isnumeric(Code)  then
response.write"<script>alert(""验证码格式错误！"");location.href=""javascript:history.go(-1)"";</script>"
response.end
end if
if name<>"" and  instr(name,chr(39))>0 or instr(name,chr(34))>0  then
response.write"<script>alert(""用户名非法！"");location.href=""javascript:history.go(-1)"";</script>"
response.end
end if
if GetCode<>valicode then
response.write"<script>alert(""验证码错误！"");location.href=""javascript:history.go(-1)"";</script>"
response.end
end if
set rs=conn.execute("select * from admin where myweb_name='"&name&"' and myweb_pwd='"&md5(pwd)&"'")
if rs.eof then
response.write"<script>alert(""用户名或者密码错误！"");location.href=""javascript:history.go(-1)"";</script>"
else
session("admin")=name  / /session 验证
response.redirect"admin_index.asp"
rs.close
end if
end if
%>

admin_index.asp：

<%if session("admin")="" then （当session为空的时候来到index.asp 反之就来到管理页面）
response.redirect"index.asp"
response.end
end if
%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>后台管理</title>
</head>
<frameset rows="*" framespacing="0" frameborder="0" border="false" id="frame" scrolling="yes">
  <frameset cols="181,*" framespacing="0" frameborder="0" border="false" id="frame" scrolling="yes">
  <frame name="left" scrolling="auto" marginwidth="0" marginheight="0" src="admin_index_left.asp" target="main">
  <frameset framespacing="0" border="false" rows="35,*" frameborder="0" scrolling="yes">
    <frame name="top" scrolling="no" src="admin_index_top.asp">
    <frame name="main" scrolling="auto" src="admin_index_main.asp">
  </frameset>
</frameset>
</frameset>
<noframes>
  <body leftmargin="2" topmargin="0" marginwidth="0" marginheight="0">
  <p>你的浏览器版本过低！！！本系统要求IE5及以上版本才能使用本系统。</p>
  </body>
</noframes>
</html>