Four of the General government, CMS management system vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62200924733
Type myhack58
Reporter 佚名
Modified 2009-09-21T00:00:00


This article has been published in the hack Defense 2 0 0 9. 5 period of,reproduced be sure to keep this information

QQ friends of small building to listen to rain to say their school site is using the four through the government grid is set, let me check its safety. Just the hands on work done, simply to Baidu on looking for a set of 4. 0 version of the program but better be complete, and later found the fourth through the official site to find out the 6. 0 version, front interface generally style and 4. 0 is similar, since at the time no 6. 0 source code had to from 4. 0 to proceed. Nonsense not say, into the chase.


News in pictures test%' and 1=1 and ' %' =' can be successfully injected. Here, the search box has a length limit, <input name=txtitle type=Text id=txtitle size=2 0 maxlength=5 0 />the code defines a length of 5 0 characters. Local do a page submit on the line. But here I am with a Union query is unsuccessful,then use the ACIIS code to guess the solution to a successful guess, but the biggest drawbacks is guess the solution is time-consuming and effort.


Yet. In the admin directory I found Admin_BackData. asp file, but in the background there is no connection, that is to say the background does not have this feature column. Some friends may say that we in the address bar input http://localhost/sitong/admin/Admin_BackData.asp do not see the backup page? Initially I also thought so, but wrong. Because in Admin_BackData. the asp head contains admin_function. asp

Anti-external submit connection code

Sorry, for System Security, do not allow direct input of the address to access the system Admin page.& lt;/font></p>"

Sorry, for System Security, do not allow from the external address to access the system Admin page.& lt;/font></p>"

We are in the background links at the find such code:

Error message:\n\n① this site has been submitted');</script>")

Variable closing off the html in the<a href="<%=rs("fl_url")%>" target="_blank"> in this places the input “Admin_BackData. asp" target="'zf11Sys_Main'

Can be closed in html, and successfully transferred out of the backup page. As shown in Figure 1 1

1 1

the. In addition to this also in ad management can also be transferred out of the backup page.

Because with them it makes web development faster. Well, this article relates to the tools are Packed up, the tool can be run in the platform is VS2005,or may be unstable. What's the problem everyone to the Black anti-Forum exchange.