Quick message book v10.09 official version Upload Vulnerability and Cookie Spoofing Vulnerability

Upload Vulnerability:
Vulnerability page:/up/add. asp

Method of exploits: add a vulnerability page address after the message book, for example, http: // localhost/up/add. asp,

Attackers can exploit the parsing vulnerability of iis6.0 to construct an image trojan named x.asp;.jpg. Upload directly. Obtain webshell,
For webshell address: The default value is/up/previusfile/07020.(upload the large and small file _(file name ).gif
Example of the complete webshell address: http: // localhost/up/PreviousFile/0701_28_x.asp;.jpg
Some message books are disabled at the front end. But the uploaded page. It can still be opened. It does not prevent us from transmitting webshells. "0701" in the webshell address is configured in the configuration file. In general. Not many people will change it. If yes. You can upload it. Return to the homepage. View the address.
Cookie spoofing vulnerability:
Vulnerability page:/up/admin_main.asp,/up/admin_list.asp
Cookie verification is used in the code. As a result, you can enter the management background and set the upload type.
Finally, the Webshell is uploaded. The vulnerability code is as follows:
<% If request. cookies ("picc") ("picc2") <> "" then %>
<P align = "center"> </P>
<P align = "center">
<%
Dim Msg
If Request. QueryString ("Action") = "Save" Then SaveData
Sub SaveData ()
MyConn.exe cute ("update Config set OKAr = '" & Request. Form ("ftype") & "', OKsize =" & Request. Form ("fsize "))
Msg = "the file data information has been modified successfully"
End Sub
If msg <> "Then
Response. write ("<meta http-equiv = refresh content = '2; URL = admin_main.asp '> "& Msg &" <br> <a href = admin_main.asp> click here to return </a> ")
Response. End ()
End If
%> </P>
How to use it. Let's think about it by yourself. I think it should be difficult.