Gogo talent network v1.9.1 Vulnerability

This post can communicate with the author here: http://bbs.2cto.com/read.php? Tid = 90757 code by Link
Web site: www.link0day.cn
Advertisement: red black guest Alliance reprinted please indicate www.2cto.com
Reprinted. Please keep the above text. Thank you ~ Recently, I 've been lazy for a while. After several source code copies, I found several vulnerabilities that I didn't release because I was too lazy .. Set up an environment first to test whether there is a cross-site gogo_add_guest_db.asp on the message board:
If trim (request ("title") = "" then
Response. write "<script language = JavaScript>" & chr (13) & "alert (the topic cannot be blank !); "&" History. back () "&" </script>"
Response. End
End if
If trim (request ("content") = "" then
Response. write "<script language = JavaScript>" & chr (13) & "alert (content cannot be blank !); "&" History. back () "&" </script>"
Response. End
End if
If trim (request ("username") = "" then
Response. write "<script language = JavaScript>" & chr (13) & "alert (name cannot be blank !); "&" History. back () "&" </script>"
Response. End
End if

It looks like no filtering actually... A window will pop up during the test .. Tip: the data you submit contains sensitive information. For security reasons, modify the data and submit it again! The specific sensitive string is <script> because .. This file contains conn. asp. Let's fly there to see it .. I want to laugh .. : <%
The following line shows the invalid character filtering code. You can adjust it.
SQL _injdata = "| and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare | <script>"
SQL _inj = split (SQL _Injdata, "| ")
If Request. QueryString <> "Then
For Each SQL _Get In Request. QueryString
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. QueryString (SQL _Get), SQL _Inj (SQL _DATA)> 0 Then
Response. Write "<Script Language = JavaScript> alert (" & chr (34) & "the data you submit contains sensitive information. For security reasons, modify the data and submit it again! Sensitive strings: "& SQL _Inj (SQL _DATA) & chr (34) &"); history. back (-1) </Script>"
Response. end
End if
Next
Next
End If
If Request. Form <> "" Then
For Each SQL _Post In Request. Form
For SQL _Data = 0 To Ubound (SQL _inj)
If instr (Request. Form (SQL _Post), SQL _Inj (SQL _DATA)> 0 Then
Response. Write "<Script Language = JavaScript> alert (" & chr (34) & "the data you submit contains sensitive information. For security reasons, modify the data and submit it again! Sensitive strings: "& SQL _Inj (SQL _DATA) & chr (34) &"); history. back (-1) </Script>"
Response. end
End if
Next
Next
End if
Set rs = server. createobject ("adodb. recordset ")
Conn = "DBQ =" & server. mappath ("db/db. mdb") & "; DefaultDir =; DRIVER = {Microsoft Access Driver (*. mdb )};"
%> Weak .. That cross-site attack was successful. Because this anti-injection file only detects <script>, we can directly submit: </img> .. You may think that cross-site communication is useless .. In fact, I thought so some time ago,... I read an article about Sakura prodigal son. After using WEBSHELL in the Cross-site background, you will find that the cross-site connection can be like this ~
In addition, there are certainly more than one anti-injection gains. I wonder if you have found anything .. There are no request. cookies .. That's right .. Cookies are injected .. This programmer is too confident in his own defense against injection. Basically all files are submitted by request (xxx .. That is to say, this station is neglected by programmers .. There are both search and signature types .. However, Cookie injection is troublesome .. In fact, there are several file vulnerabilities that I will not announce. The boss said that we should keep our hands on .. Such holes are the real 0-day