Click here to Skip to main content
15,922,166 members
Search within:


site being hacked each and everyday
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
ASP
My site admin panel is being hacked each and every day please suggest me the solution here is my login code below
XML
<!--#include file="common.asp"-->
<%
if session("adminuserid")<>"" then
    response.Redirect("menu_home.asp")
end if
%>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<meta http-equiv="Content-Style-Type" content="text/css">
<meta name="revisit-after" content="30">
<title>Login</title>
<link href="style_code.css" rel="stylesheet" type="text/css">
<script type="text/javascript">
function submitonce(theform)
{
if (document.all||document.getElementById){
for (i=0;i<theform.length;i++){
var tempobj=theform.elements[i]
if(tempobj.type.toLowerCase()=="submit"||tempobj.type.toLowerCase()=="reset")
tempobj.disabled=true
}
}
}
</script>
</head>
<body>
<div id="dlContainer">
<div style=" width: 780px;" >
<div align="left" style="padding:20px"><strong><font color="#3333CC" size="4">
  Administration Panel </font></strong> </div>
<div class='topbar' align='center'><strong> Restricted Area Login</strong></div>
<br>
<%
    if request("flag")<>"" then
        msg=""
        OpenDataBase Conn
        username=sqlsafe(server.HTMLEncode(request("username")))
        password=sqlsafe(server.HTMLEncode(request("password")))
        er=""
        if username ="" then er=er & "<center>Enter UserName !!!</center><br>"
        if password="" then er=er & "<center>Enter Password !!!</center><br>"
        if  request("password")="'" then er=er & "<center>Enter Password !!!</center><br>"
        if  request("password")="<" then er=er & "<center>Enter Password !!!</center><br>"
        if  request("password")=">" then er=er & "<center>Enter Password !!!</center><br>"
        if  request("password")="'""'" then er=er & "<center>Enter Password !!!</center><br>"
        if  request("password")="<XSS>" then er=er & "<center>Enter Password !!!</center><br>"
        if  request("password")="</XSS>" then er=er & "<center>Enter Password !!!</center>"
        'strSearchFor=""'"""
        'If InStr(1,password,strSearchFor) > 0 then er=er & "<center>Enter Password !!!</center><br>"

        if er<>"" then
            msg=er
            showform=1
        else
            sql="Select * from adminuserdata where username='" & username & "'"
            Set rs = Server.CreateObject("ADODB.Recordset")
            rs.open sql,Conn,1,1
            if rs.BOF = False then
                if encodeString(rs("password"))=encodeString(password) then
                session.Contents.RemoveAll()
                Session.Timeout=300
                session("adminuserid")=rs("userid")
                session("admin")="1"
                addlog ucase(rs("username")) & " has logged in"
                For Each Field in rs.Fields
                    session(field.name)=rs(field.name)
                next
                conn.close
                response.Redirect("menu_home.asp")
                else
                msg="Invalid Username/Password !!! "
                showform=1
                end if 'rs password
            else
                addlog "Username: " & username & " Password: " & password & " cannot log in"
                conn.close
                session.Contents.RemoveAll()
                msg="<center>Invalid Username/Password !!!</center>"
                showform=1
            end if
        end if
    end if
%>
<% if request("flag")="" or showform=1 then%>
<form name="form1" method="post" action="default.asp">
<table align="center" width="100%">
<tr>
     <td colspan="3" class="error"><% if msg<>"" then response.Write(msg)%></td>
    </tr>
</table>
  <table align="center" width=247 class="tbl">
    <!--DWLayoutTable-->
    <tr>
      <td height="21" colspan="4" valign="top" background="images/backbar3.gif"  class="boxtitle"><font color="#00FF33">
          <div align="center"><b><font color="#0000FF">Login</font></b></div>
        </font></td>
    </tr>
    <tr>
      <td width="62" height="21">&nbsp;</td>
      <td width="22">&nbsp;</td>
      <td width="122">&nbsp;</td>
      <td width="13"></td>
    </tr>
    <tr>
      <td height="21" valign="top">Username</td>
      <td colspan="2" rowspan="2" valign="top"> <input name="username" type="text" class="txt1" value="<%=request("username")%>">
      </td>
      <td>&nbsp;</td>
    </tr>
    <tr>
      <td height="1"></td>
      <td></td>
    </tr>
    <tr>
      <td height="24" valign="top">Password</td>
      <td colspan="2" valign="top"> <input  class="txt1" type="password"  name="password">
      </td>
      <td>&nbsp;</td>
    </tr>
    <tr>
      <td height="21">&nbsp;</td>
      <td>&nbsp;</td>
      <td>&nbsp;</td>
      <td>&nbsp;</td>
    </tr>
    <tr>
      <td height="26">&nbsp;</td>
      <td>&nbsp;</td>
      <td valign="top"><input class="but1" type="submit" name="Submit" value="Login">
        <input type="hidden" name="flag" value="3"></td>
      <td>&nbsp;</td>
    </tr>
  </table>
</form>
<% end if %>
<br>
</div>
</body>
</html>
</body>
</html>
Posted
Add a Solution

1 solution

Reading down your code, as soon as I got to this line warning bells went off:
sql="Select * from adminuserdata where username='" & username & "'"
You have left your code wide open to a SQL injection attack here. If I were you, I would read through some articles on Google on Sql Injection attacks, and see how they can be used here to blow your permissions wide open.
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise
Privacy
Cookies
Terms of Use
Last Updated 21 Jul 2011
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-06-13:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900