N-point virtual host management system-fatal vulnerability. Pass to kill all versions-bug warning-the black bar safety net

ID MYHACK58:62201027940
Type myhack58
Reporter 佚名
Modified 2010-09-26T00:00:00


This is N fatal vulnerability directly get Server Permissions. Because directly related to MYSQL, MSSQL SA and ROOT but encrypted in a way I also see in his encryption code. A bit confused that... I looked online also with no N-point virtual host management system of one aspect of the ODAY or the like. not out.. Like all my test write good release. 3057C0DB854C878E72756088058775 this is the admin of encryption 3 0 bits should be the CFS


This vulnerability I found already a long time since the time is relatively busy there has been no release of.. As relates to the server more I will not publish how to get a background PSW.。。。。 First, the analysis under the sitehost. asp his fatal vulnerability of the page where the

<!--# include file="sessioncolck. asp" - > <!--# include file="pagesession/CS1. asp" - > <!--# include file="../inc/conn. asp" - > <!--# include file="../inc/char. asp" - > <!--# include file="../inc/function. asp" - > <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=gb2312" /> <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" /> <title>Powered By npoint</title> <link href="../css/style. css" rel="stylesheet" type="text/css" /> <script src="../js/ajax_x.js" type="text/javascript"></script> <script src="../js/alt.js" type="text/javascript"></script> </head> <body> <% rs. open "Select * from hostcs",conn,1,1 ftpsoft=rs("ftpsoft") 'FTP software hostdomain=rs("hostdomain") 'giving away the domain name diskpe=rs("diskpe") 'disk quotas ftpid=rs("ftpid") 'IISFTP identifier doc=rs("doc") 'default document servupath=rs("servupath") 'Serv-u/Gene6 installation path servuid=rs("servuid") 'Serv-U 7. X-ID number servudomain=rs("servudomain") 'Serv-u7. x/Gene6 domain name webpage=rs("webpage") 'open the Welcome page appsitenum=rs("appsitenum") 'more than how much the website is automatically created application pool yncreateapploop=rs("yncreateapploop") 'whether to automatically create the app pool dcapppool=rs("dcapppool") 'current is created automatically after the app pool appbtitle=rs("appbtitle") 'auto-create app pool header rs. close set iishost=server. createobject("npoint. host") 'load the Assembly if request. QueryString("action")="kshost" then 'Rebel off the input domain is legitimate or with the WWW if trim(request. form("domain"))<>"" then if ubound(split(trim(request. form("domain")),"."))& lt;1 then call ErrMsgBox("operation failed.\ n\n1. The binding domain is not legitimate,please replace") response. End() else if LCase(split(trim(request. form("domain")),".") (0))="www" then call ErrMsgBox("operation failed.\ n\n1. The binding domain does not include www,please replace") response. End() end if end if end if 'Rebel off FTP account is legitimate chkftp=chk_ftpuser(trim(request. form("FTPuser"))) if chkftp<>"1" then call ErrMsgBox(chkftp) response. End() end if 'Rebel off whether the domain name exists if trim(request. form("domain"))<>"" then rs. open "Select host_domain,todomain from sitehost",conn,1,1 if rs. bof and rs. eof then rs. close else for i=1 to rs. recordcount if rs("host_domain")="" then H_D="" else H_D=rs("host_domain") & "" end if if rs("todomain")="" then T_D="" else T_D=rs("todomain") & "" end if All_domain=All_domain & H_D & T_D rs. movenext next rs. close if All_domain<>"" then Fall_domain=split(mid(All_domain,1,len(All_domain)-1),"") for s=0 to ubound(Fall_domain) if Fall_domain(s)=trim(request. form("domain")) or Fall_domain(s)="www."& amp;trim(request. form("domain")) then call ErrMsgBox("operation failed.\ n\n1. Bind the domain name already exists,please replace.") response. End() end if next end if end if end if 'Rebel off FTP account exists rs. open "Select FTPuser from sitehost where FTPuser='"&trim(request. form("FTPuser"))&"'",conn,1,1 if rs. bof and rs. eof then rs. close 'Set the site identifier ID number rs. open "Select * from sitehost order by id desc",conn,1,1 if rs. bof and rs. eof then ifid=2 'site identifier else ifid=rs("ID")+1 end if rs. close 'Calculate the expiration time sdate=date() 'open time if ubound(split(sdate,"-"))>1 then d_fgh="-"

[1] [2] [3] [4] [5] [6] [7] [8] next