Set sail communication corporate website CMS system v1. 1 0day-vulnerability warning-the black bar safety net

2011-07-25T00:00:00
ID MYHACK58:62201131341
Type myhack58
Reporter 佚名
Modified 2011-07-25T00:00:00

Description

This is a broken system, take home the source the horse change it that is their own, also charges

Garbage system, but also on the source the horse is encrypted.

Vulnerability is a heap of

Background login authentication file:

<!--# include file="conn. asp" - >

<!--# include file="../class/Config. asp" - >

<!--# include file="inc/md5. asp" - >

<!--# include file="../class/Ubbsql. asp" - >

<%

dim sql,rs

dim username,password,CheckCode

username=replace(trim(request("username")),"'","")

password=replace(trim(Request("password")),"'","")

CheckCode=replace(trim(Request("CheckCode")),"'","")

The above loading of the page actually did load the anti-injection. And receives the parameters actually used request. And there is no limit, the various injection together.

2, The front page of the presence of the injection

%owen=request("id")%>

<%

id=cstr(request("id"))

Set rsnews=Server. CreateObject("ADODB. RecordSet")

sql="update news set hits=hits+1 where id="&id

conn. execute sql

You can use the injected transit. Other pages I haven't looked.

Next look at the background to take the shell of vulnerability.

1, upload vulnerability,can have a bright kid uploaded.

2, The database backup,didn't do any restrictions. Uploaded pictures of horses, and then make a backup

3, web configuration, can be inserted into a closed formula a sentence to get the shell

For such a business Station。。。。 I'm speechless. it.