News website management system vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62200924219
Type myhack58
Reporter 佚名
Modified 2009-08-09T00:00:00


News website management system vulnerabilities author: xk8888888

This system has N of the Year Edition,General government, schools and enterprises with much more,

Special permit: to display news News_View. asp? NewsID= Login login. asp? id=3,The main special permit is available one has a EDIT the directory,the following database is used the db/#ewebeditor. asp The above special permit as long as in the two on the basic can be sure is the system

Vulnerabilities:this system turns out to have N lot of loopholes,but improved,now the main problem is the COOKIES injected and the column directory problem

The specific code I'll speak up,speak directly to the use of

The first tricks:

The old version of the presence of a background COOKIES injection Directly open the landing back,and then in the address bar, enter

javascript:alert(document. cookie="adminuser="+escape("‘or'='or'"));javascript:alert(document. cookie="adminpass="+escape("‘or'='or'"));javascript:alert(document. cookie="admindj="+escape("1"));

This function is the user name and password set to'or'='or' this is what not to say,and also the admindj set to 1 Press ENTER after,direct access to /management directory/admin_index. asp on into the background,the background directly with the backup function Management directory own look for,generally in the LOGIN. ASP in the same directory

The second analysis of the axe: Wherein the voting file filter is not strict,js-xgxx. asp file xgnews parameter is not filtered,the specific can be a friend to write a dedicated small tools can also be of some other with COOKIES to injection,but the key and some other parameters are fixed,the effect may be small,we just write to entertain it,the cow people don't laugh) With this you can directly give the administrator user name and password of the MD5 With MD5 you can go to the hack,if broken can not put the above change javascript:alert(document. cookie="adminuser="+escape(" username"));javascript:alert(document. cookie="adminpass="+escape("password md5 value")); javascript:alert(document. cookie="admindj="+escape("1")); After the determination straight into the background

The first three tricks: If the above still doesn't work then see...... Or cookies problem,there are some versions of filtered COOKIES in the'number,so that we The Universal password does not work,the asp file COOKIES injection through the game,but admindj=1 also,when you have finished entering the above code,if you can't get into backend,then access /edit/admin_uploadfile. asp? id=1 4&dir=..,then talk EWEBEDITOR column directory vulnerabilities,only need to change dir=back parameters you can see the check should be of the directory,such as dir=..\.. dir=..\..\.. You can find some of his database backup? or other.